Secure session capability using public-key cryptography without access to the private key

ABSTRACT

A server establishes a secure session with a client device where a private key used in the handshake when establishing the secure session is stored in a different server. During the handshake procedure, the server proxies messages to/from the different server including a set of signed cryptographic parameters signed using the private key on the different server. The different server generates the master secret, and generates and transmits the session keys to the server that are to be used in the secure session for encrypting and decrypting communication between the client device and the server.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of application Ser. No. 14/248,256,filed Apr. 8, 2014, which is hereby incorporated by reference.

FIELD

Embodiments of the invention relate to the field of secure networkcommunications; and more specifically, to establishing a secure session(e.g., Secure Sockets Layer (SSL), Transport Layer Security (TLS)) usingpublic-key cryptography where the server does not have access to theprivate key used during the secure session handshake.

BACKGROUND

Secure Sockets Layer (SSL) and Transport Layer Security (TLS), which isthe successor to SSL, provide secure network connections. SSL and/or TLSare commonly used during web browsing (e.g., using HTTPS), email, andother Internet applications. SSL and TLS are described in severalRequest For Comments (RFCs), including RFC 2246 (describing TLS 1.0),RFC 4346 (describing TLS 1.1), RFC 5246 (describing TLS 1.2), and RFC6101 (describing SSL 3.0).

An SSL or TLS client and server negotiate a set of parameters toestablish a secure session in a process called a handshake. For example,the client transmits a hello message (referred to as a ClientHellomessage) that includes the following: an indication of the requestedversion of the SSL or TLS protocol, a requested session identifier usedto identify the session connection, a list of the cipher suites(cryptographic options) supported by the client, a list of thecompression methods supported by the client, random data used forcryptographic purposes (sometimes referred to as ClientHello.random),and may indicate whether and what type of extensions (defined by theprotocol) the client supports.

In response, the server transmits a hello message to the client(referred to as a ServerHello message) that includes the version of theSSL or TLS protocol supported by the server, a session identifier thatwill be used to identify the session, the selected cipher suite(selected from the list of cipher suites included in the ClientHellomessage), the selected compression method (selected from the list ofcompression methods included in the ClientHello message), random dataused for cryptographic purposes that is different than the random dataincluded in the ClientHello message (sometimes referred to asServerHello.random), and may include a list of the extensions that theserver supports.

Following the hello messages, the server transmits a list of itscertificate(s) in a message referred to as a Certificate message(sometimes referred to as a Server Certificate message). The server thentransmits a message indicating that the hello-message phase of thehandshake is complete (referred to as a ServerHelloDone message). Forsome implementations, depending on which key exchange methods are used(e.g., implementations using Diffie-Hellman cipher suites), the serveralso transmits a message to the client (referred to as aServerKeyExchange message) that conveys cryptographic information toallow the client to calculate the premaster secret. This message issigned using the private key of the server. The client then transmits amessage to the server (referred to as a ClientKeyExchange message) thatincludes a random value typically generated by the client called apremaster secret or Diffie-Hellman parameters that allows the client andserver to agree upon the same premaster secret. The premaster secret isused by both the client and the server to generate a shared secret(referred to as the master secret) that is used to generate session keysthat are used to encrypt and decrypt information during the securesession. If the premaster secret is included in the ClientKeyExchangemessage, it is encrypted using the public key in the certificate sent bythe server. By way of a specific example, if the Rivest-Shamir-Adelman(RSA) algorithm is being used for key agreement and authentication, theclient generates a 48-byte value for the premaster secret and encryptsit using the public key from the server's certificate and transmits theencrypted premaster secret to the server. By way of another specificexample, if a Diffie-Hellman implementation is used, theClientKeyExchange message includes the client's Diffie-Hellman publicvalue. By way of another specific example, if a FORTEZZA hardwareencryption system is being used, the client derives a token encryptionkey (TEK) using the FORTEZZA Key Exchange Algorithm (KEA), which itselfuses the public key from the server's certificate along with privateparameters of the client, generates a random 48-byte value for thepremaster secret and encrypts it using the TEK and transmits theencrypted premaster secret to the server.

If the server receives the encrypted premaster secret in theClientKeyExchange message, it decrypts it with their private key. In animplementation where the ClientKeyExchange message includescryptographic parameters to generate the premaster secret, the servergenerates the premaster secret using those cryptographic parameters(which also requires the use of the private key).

The client and server each perform a series of steps to generate amaster secret from the premaster secret, using the random data includedin the ClientHello and ServerHello messages (e.g., theClientHello.random and ServerHello.random). The master secret is ashared secret that is used to generate session keys, which are symmetrickeys that are used to encrypt and decrypt information during the securesession.

The client then transmits a message to the server informing it thatfuture messages will be encrypted (referred to as a ChangeCipherSpecmessage). The client then transmits an encrypted message to the serverfor validation (referred to as a Finished message). The server transmitsto the client a message that future messages will be encrypted (aChangeCipherSpec message) and an encrypted message to the client forvalidation (a Finished message). From then on, the handshake is completeand the secure session is established such that future messages betweenthe client and server are encrypted.

BRIEF DESCRIPTION OF THE DRAWINGS

The invention may best be understood by referring to the followingdescription and accompanying drawings that are used to illustrateembodiments of the invention. In the drawings:

FIG. 1 illustrates exemplary messages for establishing a secure sessionusing public-key cryptography between a client device and a securesession server where the secure session server does not have access tothe private key used during the secure session handshake according toone embodiment;

FIG. 2 is a flow diagram that illustrates exemplary operations forestablishing a secure session implemented with public-key cryptographybetween a client device and a secure session server where the securesession server does not have access to a private key for the requesteddomain according to one embodiment;

FIG. 3 is a flow diagram that illustrates exemplary operations performedby a key server in response to receiving an encrypted premaster secretfrom a secure session server according to one embodiment;

FIG. 4 illustrates exemplary messages for establishing a secure sessionusing public-key cryptography between a client device and a securesession server where the secure session server does not have access tothe private key used during the secure session handshake according toanother embodiment;

FIG. 5 is a flow diagram that illustrates exemplary operations forestablishing a secure session implemented with public-key cryptographybetween a client device and a secure session server where the securesession server does not have access to the private key used during thesecure session handshake according to one embodiment;

FIG. 6 is a flow diagram that illustrates exemplary operations performedby a key server in response to receiving a request to sign cryptographicparameters from a secure session server according to one embodiment;

FIG. 7 illustrates another embodiment for establishing a secure sessionbetween a client device and a secure session server where the securesession server does not have access to the private key used during thesecure session handshake;

FIG. 8 is a flow diagram that illustrates exemplary operations forestablishing a secure session implemented with public-key cryptographybetween a client device and a secure session server where the securesession server does not have access to the private key used during thesecure session handshake according to another embodiment;

FIG. 9 is a flow diagram that illustrates exemplary operations performedby a key server according to one embodiment;

FIG. 10 illustrates exemplary messages for establishing a secure sessionusing public-key cryptography between a client device and a securesession server where the secure session server does not have access tothe private key used during the secure session handshake according toanother embodiment;

FIG. 11 is a flow diagram that illustrates exemplary operationsperformed on a secure session server for establishing a secure sessionimplemented with public-key cryptography between a client device and thesecure session server where the secure session server does not haveaccess to a private key for the requested domain according to oneembodiment;

FIG. 12 is a flow diagram that illustrates exemplary operationsperformed by a key server for establishing a secure session according toone embodiment;

FIG. 13 illustrates exemplary messages for establishing a secure sessionusing public-key cryptography between a client device and a securesession server where the secure session server does not have access tothe private key used during the secure session handshake according toanother embodiment;

FIG. 14 is a flow diagram that illustrates exemplary operationsperformed on a secure session server for establishing a secure sessionimplemented with public-key cryptography between a client device and asecure session server where the secure session server does not haveaccess to a private key for the requested domain according to oneembodiment;

FIG. 15 is a flow diagram that illustrates exemplary operationsperformed by a key server in response to receiving an encryptedpremaster secret and other information to generate a set of session keysfor a secure session between a client device and a secure session serveraccording to one embodiment;

FIG. 16A illustrates exemplary messages for establishing a securesession using public-key cryptography between a client device and asecure session server where the secure session server does not haveaccess to the private key for the requested domain and where the keyserver generates and transmits to the secure session server the sessionkeys used for the secure session according to one embodiment;

FIG. 16B illustrates exemplary operations for resuming a sessionaccording to the embodiment of FIG. 16A;

FIG. 17 is a flow diagram that illustrates exemplary operationsperformed by a secure session server for establishing a secure sessionimplemented with public-key cryptography between a client device and thesecure session server where the secure session server does not haveaccess to a private key for the requested domain according to oneembodiment;

FIG. 18 is a flow diagram that illustrates exemplary operationsperformed by a key server for establishing a secure session connectionbetween a client device and a secure session server that will terminatethe secure session connection according to one embodiment;

FIG. 19A illustrates another embodiment for establishing a securesession between a client device and a secure session server where thesecure session server does not have access to the private key usedduring the secure session handshake;

FIG. 19B illustrates exemplary operations for resuming a sessionaccording to the embodiment of FIG. 19A;

FIG. 20 is a flow diagram that illustrates exemplary operationsperformed by a secure session server for establishing a secure sessionimplemented with public-key cryptography between a client device and asecure session server where the secure session server does not haveaccess to a private key for the requested domain according to oneembodiment;

FIG. 21 is a flow diagram that illustrates exemplary operationsperformed on a key server for establishing a secure session implementedwith public-key cryptography between a client device and a securesession server where the secure session server does not have access to aprivate key for the requested domain according to one embodiment; and

FIG. 22 is a block diagram illustrating an exemplary computing devicethat may be used in accordance with embodiments of the invention.

DESCRIPTION OF EMBODIMENTS

In the following description, numerous specific details are set forth.However, it is understood that embodiments of the invention may bepracticed without these specific details. In other instances, well-knowncircuits, structures and techniques have not been shown in detail inorder not to obscure the understanding of this description. Those ofordinary skill in the art, with the included descriptions, will be ableto implement appropriate functionality without undue experimentation.

References in the specification to “one embodiment,” “an embodiment,”“an example embodiment,” etc., indicate that the embodiment describedmay include a particular feature, structure, or characteristic, butevery embodiment may not necessarily include the particular feature,structure, or characteristic. Moreover, such phrases are not necessarilyreferring to the same embodiment. Further, when a particular feature,structure, or characteristic is described in connection with anembodiment, it is submitted that it is within the knowledge of oneskilled in the art to effect such feature, structure, or characteristicin connection with other embodiments whether or not explicitlydescribed.

In the following description and claims, the terms “coupled” and“connected,” along with their derivatives, may be used. It should beunderstood that these terms are not intended as synonyms for each other.“Coupled” is used to indicate that two or more elements, which may ormay not be in direct physical or electrical contact with each other,co-operate or interact with each other. “Connected” is used to indicatethe establishment of communication between two or more elements that arecoupled with each other.

A method and apparatus for establishing a secure session (e.g., SSL orTLS) using public-key cryptography where the secure session server doesnot have access to the private key used during the secure sessionhandshake is described. The secure session server is a computing devicethat transmits and receives Internet traffic to and from client devicesand is the server in the secure session. For example the secure sessionserver terminates the secure session. By way of a specific example thatis used throughout this specification, the secure session server mayreceive and transmit traffic for the domain https://example.com. Thetraffic may be received at the secure session server as a result of aclient network application of the client device (e.g., a web browser)attempting to visit https://example.com. In one embodiment, the securesession server may act as a server for multiple domains that may belongto one or more domain owners.

The secure session server does not have local access to the private keythat is used during the handshake procedure when establishing the securesession between the client device and the secure session server. Forexample, for some cipher suites, the private key is used to decrypt thepremaster secret that has been encrypted with the corresponding publickey by the client device. As another example, for other cipher suites(e.g., cipher suites that use Diffie-Hellman for the key exchange), theprivate key is used to sign a message that contains cryptographicparameters that are used to generate the premaster secret. Inembodiments of the invention, the required private key is stored (oraccessible) from a device remote to the secure session server, which isreferred herein as the “key server.” Upon a point during the handshakeprocedure where the private key is needed, the secure session serverrequests the key server to access and use the private key.

For example, if the premaster secret has been generated by the clientand encrypted with a public key, the secure session server may requestthe key server to decrypt the premaster secret using the correspondingprivate key. The decrypted premaster secret is used by both the clientdevice and secure session server to create a shared secret (referred toas a master secret) that is used when generating the session keys thatare used to encrypt and decrypt data during the secure session. Afterreceiving the encrypted premaster secret (which the secure sessionserver cannot decrypt), the secure session server transmits theencrypted premaster secret to the key server, which has access to theprivate key that can decrypt the encrypted premaster secret. The keyserver decrypts and transmits the premaster secret to the secure sessionserver. The secure session server, after receiving the decryptedpremaster secret from the key server, generates the master secret anduses the master secret to generate the session keys that are used toencrypt and decrypt data during the secure session. The key server maytransmit the decrypted premaster secret to the secure session serverover a secure session or otherwise in an encrypted form. The securesession server and client finish the secure session handshake andestablish the secure session.

As another example, if the selected cipher suite is a Diffie-Hellmancipher suite that requires the cryptographic parameters used whengenerating the premaster secret to be signed with the private key, thesecure session server requests the key server to sign the cryptographicparameters with the private key.

FIG. 1 illustrates exemplary messages for establishing a secure sessionusing public-key cryptography between a client device 110 and a securesession server 120 where the secure session server 120 does not haveaccess to the private key used during the secure session handshakeaccording to one embodiment. The client device 110 is a computing device(e.g., desktop, laptop, smartphone, mobile phone, tablet, gaming system,set-top box, server, etc.) that includes the client network application115 (e.g., a web browser or other application) that is capable ofaccessing network resources and is capable of acting as a client in asecure session. It should be understood that the use of the term “clientdevice” herein does not require that the device be an end-user clientdevice. Rather, the term “client device” is used herein to refer to acomputing device that operates as a client in the client-serverrelationship of a secure session (e.g., SSL and/or TLS).

The secure session server 120 is a computing device that includes thesecure session module 140 that establishes and maintains secure sessionswith client devices (and potentially the key server 130). The securesession server 120 also includes one or more certificates 145. By way ofexample, the certificate(s) 145 includes a certificate that is boundwith example.com. The certificate that is bound with example.comincludes a public key. The secure session server 120 does not store theprivate key that corresponds with the public key for example.com. Thekey server 130 is a computing device that includes the private key(s)150. By way of example, the private key(s) 150 include a private keythat corresponds with the public key included in the certificate forexample.com that is stored in the secure session server 120. The securesession module 150 of the secure session server 120 is configured to,upon a point during the handshake procedure where the private key (e.g.,the private key 150) is needed, to transmit a request to the key server130 to access and use that private key.

At operation 1.1, the client device 110 transmits a Client Hello messageto the secure session server 120. The Client Hello message begins thesecure session handshake. The client device 110 may transmit the ClientHello message to the secure session server 120 as a result of the clientnetwork application 115 attempting to visit a website that begins withHTTPS (e.g., https://example.com). In one embodiment, the Client Hellomessage is transmitted to the secure session server 120 as a result of aDomain Name System (DNS) request for the domain the client device 110 isattempting to connect to resolving to an IP address of the securesession server 120. The Client Hello message may include the following:an indication of the requested version of the SSL or TLS protocol, arequested session identifier used to identify the session connection, alist of cipher suites supported by the client device 110, a list of thecompression methods supported by the client device 110, random data usedfor cryptographic purposes (ClientHello.random), and also may indicatewhether and what type of extensions defined by the protocol that theclient supports. A number of cipher suites may be used in embodimentsdescribed herein (e.g., TLS_RSA_WITH_RC4_(—)128_SHA,TLS_RSA_WITH_RC4_(—)128_MD5, TLS_RSA_WITH_(—)3DES_EDE_CBC_SHA,TLS_RSA_WITH_DES_CBC_SHA, TLS_ECDHE_RSA_WITH_RC4_(—)128_SHA;TLS_ECDHE_RSA_WITH_(—)3DES_EDE_CBC_SHA;TLS_ECDHE_RSA_WITH_AES_(—)128_CBC_SHA;TLS_ECDHE_RSA_WITH_AES_(—)256_CBC_SHA; etc.).

In response to the Client Hello message, at operation 1.2 the securesession server 120 transmits a Server Hello message to the client device110. The Server Hello message may include the version of the SSL or TLSprotocol supported by the secure session server 120, a sessionidentifier that will be used to identify the session, the selectedcipher suite (selected from the list of cipher suites included in theClient Hello message), random data used for cryptographic purposes thatis different than the random data included in the ClientHello message(sometimes referred to as ServerHello.random), and may also include alist of the extensions that the server supports. The selected ciphersuite defines the cipher specification to be used that specifies thepseudorandom function (PRF) used to generate keying material, the bulkdata encryption algorithm (such as null, AES, etc.), the MessageAuthentication Code (MAC) algorithm, and other cryptographic attributessuch as encrypted key length, MAC key length, fixed IV length, etc. Aswill be described in greater detail later herein, if the secure sessionserver 120 supports session resumption without server-side state andintends to issue a ticket to the client with session state, the sessionidentifier included in the Server Hello message may be empty. If thesession identifier is not empty, then the secure session server 120 maybe supporting stateful session resumption.

The secure session server 120 also transmits a Certificate message tothe client device 110 at operation 1.3 (a server Certificate). TheCertificate message includes a digital certificate for the requesteddomain. For example, if the requested domain is example.com, theCertificate message includes a digital certificate bound to example.com.The digital certificate includes, among other things, a public key. Atoperation 1.4, the secure session server 120 transmits a Server HelloDone message to the client device 110 that indicates that thehello-message phase of the handshake is complete.

At operation 1.5, the client 110 transmits a Client Key Exchange messageto the secure session server 120. The Client Key Exchange messageincludes a random value called a premaster secret that has beenencrypted using the public key included in the Certificate message ofoperation 1.3. By way of a specific example, if the RSA algorithm isbeing used for key agreement and authentication, the client device 110generates a 48-byte value for the premaster secret and encrypts it usingthe public key from the server's certificate and transmits the encryptedpremaster secret to the secure session server 120. As will be describedbelow, the decrypted premaster secret is used to generate a sharedsecret between the client device 110 and the secure session 120 (calledthe master secret), which is then used when generating the encryptionand decryption keys used to encrypt and decrypt data transmitted duringthe secure session. It should be understood that if the encryptedpremaster secret cannot be decrypted, then the handshake will fail andthe secure session will not be established.

The secure session server 120 does not have the private key to decryptthe premaster secret. However, the private key is stored on the keyserver 130 (as one of the private key(s) 150). Although FIG. 1illustrates the key server 130 storing the private keys, in otherembodiments the key server 130 has access to the private keys but thoseprivate keys are stored on a different device. At operation 1.6, thesecure session server 120 transmits the encrypted premaster secret tothe key server 130. The key server 130 decrypts the encrypted premastersecret using the private key for the requested domain. The key server130 then transmits the decrypted premaster secret to the secure sessionserver 120 at operation 1.7. In one embodiment, the messages ofoperations 1.6 and 1.7 are transmitted over a secure connection 155(e.g., encrypted using SSL or TLS, or other mechanisms) and/or theencrypted premaster secret and the decrypted premaster secret areotherwise encrypted.

In one embodiment, the key server 130 stores or has access to privatekeys for multiple domains and/or zones, which may be owned or controlledby different entities. For example, the key server 130 may store or haveaccess to the private key for example.com and example2.com. In such anembodiment, in conjunction with transmitting the encrypted premastersecret to the key server 130, the secure session server 120 indicatesthe domain or zone in which the client device 110 is requesting aconnection. For example, if the client device 110 is requesting a securesession with example.com, then the secure session server 120 indicatesto the key server 130 that example.com is the requested domain. Theclient device 110 may specify the destination domain using the ServerName Indication (SNI) extension in the Client Hello message. SNI isdescribed in RFC 3546, June 2003. If the destination is not specified bythe client device 110 (e.g., the client device 110 does not supportSNI), then the secure session server 120 matches the destination IPaddress of the client-hello message sent by the client device 110 withthe corresponding hostname (e.g., the secure session server 120 mayinclude a mapping of IP addresses and hostnames). The secure sessionserver 120 may transmit the indication of the domain or zone name to thekey server 130 in a number of different ways including in a header, acustom binary structure, or a serialization format (e.g., protobuf,JavaScript Object Notation (JSON), etc.). After receiving the indicationof the domain or zone name in which the client is attempting to connect,the key server 130 accesses the corresponding private key and decryptsthe encrypted premaster secret. In another embodiment, a certificatefingerprint or a hash of the modulus (for RSA) may be used to identifythe corresponding private key. For example, the secure session server120 may generate a fingerprint over the certificate included in theCertificate message of operation 1.3 (e.g., a hash may be generated overthe certificate) and transmit that fingerprint value to the key server130. The key server 130 uses the same fingerprint algorithm to generatea fingerprint over its digital certificates and matches each to thecorresponding private key. Upon receiving the fingerprint value from thesecure session server 120, the key server 130 matches that fingerprintvalue with one of the fingerprint values it generated over the publiccertificate (the same public certificate included in the Certificatemessage of operation 1.3) to lookup the corresponding private key. Asanother example, the secure session server 120 may hash the modulus ofthe public key included in the certificate of the Certificate message ofoperation 1.3 and transmit that hash value to the key server 130. Thekey server 130 uses the same hash algorithm to generate a hash valueover the modulus over its stored public keys and matches each to thecorresponding private key. Upon receiving the hash value from the securesession server 120, the key server 130 matches that hash value with oneof the hash values it generated to lookup the corresponding private key.

The secure session server 120 uses the decrypted premaster secret tocalculate the master secret. The client device 110 and the securesession server 120 use the same algorithm and data to calculate the samemaster secret. By way of example, the master secret is calculated usinga pseudorandom function that takes as input the premaster secret, theClientHello.random value, and the ServerHello.random value.

The master secret is used by the client device 110 and the securesession server 120 to generate session keys that are used to encrypt anddecrypt information during the secure session. By way of a specificexample, the master secret is used to generate a client write MessageAuthentication Code (MAC) key, a server write MAC key, a client writeencryption key, and a server write encryption key. A client writeInitialization Vector (IV) and a server write IV may also be generateddepending on the cipher used.

At operation 1.8, the client device 110 transmits a Change Cipher Specmessage to the secure session server 120. The Change Cipher Spec messagefrom the client device 110 indicates that future messages transmitted bythe client device 110 will be encrypted. At operation 1.9, the clientdevice 110 transmits a Finished message to the secure session server120. The Finished message is encrypted using the generated session keys.By way of example, the Finished message includes an encrypted hash ofall of the messages in the handshake previously sent and received.

At operation 1.10, the secure session server 120 transmits a ChangeCipher Spec message to the client device 110 that indicates that futuremessages transmitted by the secure session server 120 will be encrypted.At operation 1.11, the secure session server 120 transmits a Finishedmessage to the client device 110. The Finished message may include anencrypted hash of all of the messages in the handshake previously sentand received.

After the Finished message of operation 1.11, the handshake is completeand the secure session 160 is considered to be established. At operation1.12, future messages of the secure session between the client device110 and secure session server 120 are encrypted over the secure session160, which carry the application data of the connection.

As described above, the connection between the secure session server 120and the key server 130 may be a secure connection for securelytransmitting the decrypted premaster secret and optionally securelytransmitting the encrypted premaster secret. As described above, asecure session (e.g., SSL or TLS) may be established between the securesession server 120 and the key server 130. As part of establishing thesecure session, the key server 130 may request a client certificate fromthe secure session server 120 and the secure session server 120 maytransmit a client Certificate message that includes its certificate tothe key server 130. The data in the client Certificate message is usedby the key server 130 to authenticate the identity of the secure sessionserver 120.

In some embodiments, the key server 130 may use IP address blocking toaccept connections (such as from the secure session server 120) fromonly certain IP addresses. For example, the key server 130 may have awhitelist of IP address(es) and/or IP address range(s) that are allowedto connect to the key server 130 or have a blacklist of IP address(es)and/or IP address range(s) that are not allowed to connect to the keyserver 130. IP address blocking may also be used at one or moreintermediary network devices between the secure session server 120 andthe key server 130.

Although a secure session has been described between the secure sessionserver 120 and the key server 130 that is initiated by the securesession server 120, in other embodiments the secure session can beinitiated by the key server 130.

In some embodiments, the messages transmitted by the secure sessionserver 120 to the key server 130 are signed with a private key that isknown only to the secure session server 120. In such embodiments, thekey server 130 verifies the validity of the signature of a message priorto acting on that message. By way of example, the message that includesthe encrypted premaster secret at operation 1.6 may be signed with aprivate key known only to the secure session server 120. The key server130 verifies whether the signature is valid using the correspondingpublic key and will only continue with the operations if the signatureis valid.

A combination of the security techniques described may be used toprovide security for the connection between the secure session server120 and the key server 130. For example, a combination of requiring aclient Certificate, IP address blocking, and signing the messagestransmitted by the secure session server with a private key known onlyto the secure session server may be used to provide security for theconnection between the secure session server 120 and the key server 130.

In one embodiment, the secure connection 155 between the secure sessionserver 120 and the key server 130 may be a Virtual Private Network (VPN)connection, which may be desirable in a firewalled environment.

FIG. 2 is a flow diagram that illustrates exemplary operations forestablishing a secure session implemented with public-key cryptographybetween a client device and a secure session server where the securesession server does not have access to a private key for the requesteddomain according to one embodiment. The private key is stored remotelyfrom the secure session server (e.g., on a key server).

At operation 210, the secure session server receives a message from theclient device that initiates a procedure to establish a secure sessionwith the client device. For example, the secure session server mayreceive a Client Hello message from the client device (e.g., an SSL orTLS Client Hello message). Depending on the protocol and capabilities ofthe client device, the message may indicate the destination host name inwhich the client device wishes to establish a secure session (e.g., theClient Hello message may include the Server Name Indication (SNI)extension and specify the destination host name).

In response to receiving the message in operation 210, the securesession server may perform a number of operations, includingtransmitting a digital certificate to the client device at operation215. The digital certificate includes a public key for the requesteddomain. It should be understood that the private key that corresponds tothe public key is not stored on the secure session server (e.g., it isstored remotely on a key server). The digital certificate may betransmitted in an SSL or TLS Certificate message. Prior to transmittingthe digital certificate, the secure session server may perform a numberof other operations including transmitting a Server Hello message to theclient device. If the message in operation 210 indicates the destinationdomain, the secure session server transmits the digital certificatebound to that destination domain. If the message in operation 210 doesnot indicate the destination host name, the secure session servertransmits the digital certificate that is associated with thedestination IP address of the message in operation 210, which is boundto the requested domain. Flow moves from operation 215 to operation 220.

At operation 220, the secure session server receives from the clientdevice a premaster secret that has been encrypted using the public keyin the digital certificate transmitted in operation 215. The encryptedpremaster secret may be sent by the client device in a SSL or TLS ClientKey Exchange message. Flow moves from operation 220 to operation 225.

The secure session server does not have the private key that correspondswith the public key that encrypted the premaster secret. As a result,the secure session server cannot decrypt the encrypted premaster secretto obtain the premaster secret. At operation 225, the secure sessionserver transmits the encrypted premaster secret to a key server that hasthe private key that can decrypt the encrypted premaster secret. In oneembodiment, the key server is located remotely from the secure sessionserver. Moreover, in some embodiments, the secure session server and thekey server may be owned and/or operated by different entities. Forexample, the secure session server may not be under physical control ofthe owner of the requested domain while the key server is under physicalcontrol of the owner of the requested domain. In one embodiment, theencrypted premaster secret is transmitted to the key server over asecure connection (e.g., encrypted using SSL or TLS) and/or is otherwiseencrypted. Flow moves from operation 225 to operation 230.

In response to receiving the encrypted premaster secret, the key serverdecrypts the encrypted premaster secret and obtains the premastersecret. FIG. 3 is a flow diagram that illustrates exemplary operationsperformed by a key server in response to receiving an encryptedpremaster secret from a secure session server according to oneembodiment. At operation 310, the key server receives an encryptedpremaster secret from the secure session server. For example, the keyserver receives the encrypted premaster secret transmitted by the securesession server in operation 225 of FIG. 2.

Flow then moves to operation 315 where the key server accesses a privatekey that corresponds with the public key that was used to encrypt thepremaster secret. The key server may receive from the secure sessionserver an indication of the domain or zone name in which the clientdevice is attempting to establish a secure session for. This indicationmay be transmitted in a number of different ways including in a header,a custom binary structure, or a serialization format (e.g., protobuf,JavaScript Object Notation (JSON), etc.). The key server uses thisindication to access the private key that corresponds with the publickey that encrypted the premaster secret.

Flow then moves to operation 320 where the key server decrypts theencrypted premaster secret using the accessed private key. Flow thenmoves to operation 325 where the key server transmits the decryptedpremaster secret to the secure session server.

As described above, the key server may transmit the decrypted premastersecret to the secure session over a secure session. As part ofestablishing the secure session between the key server and the securesession server, the key server may request a client certificate from thesecure session server in order to authenticate the identity of thesecure session server. In some embodiments, the key server may use IPaddress based blocking to verify that the key server is communicatingwith a legitimate secure session server (e.g., by verifying that thesecure session server is communicating with an IP address having a valuethat is expected by the key server). In some embodiments, the connectionbetween the key server and the secure session server is a VPNconnection. In some embodiments, the messages transmitted by the securesession server to the key server are signed with a private key that isknown only to the secure session server. In such embodiments, the keyserver verifies the validity of the signature of a message prior toacting on that message. In some embodiments, any combination of thesesecurity techniques may be used.

Referring back to FIG. 2, at operation 230, the secure session serverreceives the decrypted premaster secret from the key server. In oneembodiment, the decrypted premaster secret is transmitted to the securesession server over a secure connection (e.g., encrypted using SSL orTLS) and/or is otherwise encrypted such that the secure session serveris able to decrypt the message. Flow moves from operation 230 tooperation 235.

After obtaining the decrypted premaster secret from the key server, thesecure session server can proceed with the secure session handshake withthe client device and establish the secure session. For example, atoperation 235, the secure session server generates a master secret usingthe decrypted premaster secret. The client device also generates thesame master secret.

Flow then moves to operation 240 where the secure session servergenerates a set of session keys to be used in the secure session whenencrypting and decrypting information. By way of a specific example, themaster secret is used to generate a client write Message AuthenticationCode (MAC) key, a server write MAC key, a client write encryption key,and a server write encryption key. A client write Initialization Vector(IV) and a server write IV may also be generated depending on the cipherused.

Flow moves from operation 240 to operation 245 where the secure sessionserver completes the handshake with the client device and establishes asecure session with the client device. For example, the client deviceand secure session server each may transmit a Change Cipher Spec messageand a Finished message, as previously described herein. While the securesession is in operation, the client device and secure session server mayexchange data securely.

FIG. 4 illustrates exemplary messages for establishing a secure sessionusing public-key cryptography between a client device 410 and a securesession server 420 where the secure session server 420 does not haveaccess to the private key used during the secure session handshakeaccording to one embodiment. The embodiment described in FIG. 4describes the messages for establishing a secure session where thecipher suite chosen requires the use of a Server Key Exchange message(e.g., a Diffie-Hellman cipher suite is used such as ephemeralDiffie-Hellman RSA (DHE_RSA), ephemeral Diffie-Hellman Digital SignatureStandard (DHE_DSS), Ephemeral Elliptic Curve Diffie-Hellman (ECDHE)(e.g., (ECDHE) (e.g., ECDHE_ECDSA, ECDHE_RSA))). The client device 410(including the client network application 415) is similar to the clientdevice 110 of FIG. 1. The secure session server 420, including thesecure session module 440 and the certificate(s) 445, are similar to thesecure session server 120 (including the secure session module 140 andthe certificate(s) 145), but perform different operations as will bedescribed below. The key server 430 is similar to the key server 130 ofFIG. 1, but performs different operations as will be described below.

At operation 4.1, the client device 410 transmits a Client Hello messageto the secure session server 420. This Client Hello message is similarto the Client Hello message described in operation 1.1 of FIG. 1. Inresponse to the Client Hello message, at operation 4.2 the securesession server 420 transmits a Server Hello message to the client device410. This Server Hello message is similar to the Server Hello messagedescribed in operation 1.2 of FIG. 1. The secure session server 420 alsotransmits a Certificate message to the client device 410 at operation4.3 (a server Certificate). This Certificate message is similar to theCertificate message described in operation 1.3 of FIG. 1, but it doesnot include enough data to allow the client device 410 to generate thepremaster secret.

Although not illustrated in FIG. 4, the secure session server 420 hasselected a cipher suite that has a key exchange in which the certificatemessage transmitted in operation 4.3 does not include enough data toallow the client device 410 to generate a premaster secret. For example,the selected cipher suite may use Diffie-Hellman as the key exchangemechanism (e.g., DHE_RSA, DHE_DSS, Ephemeral Elliptic CurveDiffie-Hellman (ECDHE) (e.g., ECDHE_ECDSA, ECDHE_RSA)). Because of this,the secure session server 420 will transmit a message to the clientdevice 410 that conveys cryptographic information to allow the clientdevice 410 and the secure session server 420 to each generate the samepremaster secret. By way of a specific example where the key exchangemechanism is Diffie-Hellman such as DHE_DSS or DHE_RSA, thecryptographic information includes a set of cryptographic parametersthat may include the following: the prime modulus used for theDiffie-Hellman operation (p), the generator used for the Diffie-Hellmanoperation (g), and a Diffie-Hellman public value of the server (ĝX modp, where X is the Diffie-Hellman private value of the server). Asanother specific example where the key exchange mechanism is EphemeralElliptic Curve Diffie-Hellman (ECDHE) such as ECDHE_ECDSA or ECDHE_RSA,the cryptographic parameters include the Ephemeral ECDH public key and aspecification of the corresponding curve (the corresponding ellipticcurve domain parameters) (e.g., as defined in RFC 4492). The messagethat conveys the cryptographic information is referred to as a ServerKey Exchange message. The cryptographic information of the Server KeyExchange message may need to be signed with the private key 450corresponding to the public key of the server transmitted in theCertificate message transmitted in operation 4.3 (e.g., if the keyexchange mechanism is DHE_RSA, DHE_DSS, ECDHE_ECDSA, or ECDHE_RSA). Forexample, private key 450 may be used to sign the set of cryptographicparameters, the ClientHello.random value, and the ServerHello.randomvalue. As similarly described with respect to the embodiment discussedin FIG. 1, the secure session server 420 does not have local access tothis private key 450. As a result, the secure session server 420 cannotsign the Server Key Exchange message with this private key 450.

Since the secure session server 420 does not have local access to theprivate key 450, at operation 4.4 the secure session server 420transmits a request to the key server 430 to sign the cryptographicparameters of the Server Key Exchange message with the private key 450.

In one embodiment, the secure session server 420 generates thesecryptographic parameters (and selects the server's private value used inthe Diffie-Hellman operation) and transmits these cryptographicparameters and any other required information (e.g., theClientHello.random and ServerHello.random values) to the key server 430to sign using the private key 450. In this embodiment, the private key450 is typically an RSA key if the key exchange mechanism is DHE_RSA orECDHE_RSA, and is typically a Digital Signature Algorithm (DSA) key ifthe key exchange mechanism is DHE_DSS or an ECDSA key if the keyexchange mechanism is ECDHE_ECDSA.

The key server 430 transmits the result of the signed server keyexchange parameters to the secure session server 420 at operation 4.5.In one embodiment, the messages of operations 4.4 and 4.5 aretransmitted over a secure connection 455 (e.g., encrypted using SSL orTLS, or other mechanisms) and/or are otherwise encrypted.

In one embodiment, the key server 430 stores or has access to privatekeys for multiple domains and/or zones, which may be owned or controlledby different entities. For example, the key server 430 may store or haveaccess to the private key for example.com and example2.com. In such anembodiment, the secure session server 420 indicates the domain or zonein which the client device 410 is requesting a connection. For example,if the client device 410 is requesting a secure session withexample.com, then the secure session server 420 indicates to the keyserver 430 that example.com is the requested domain. The client device410 may specify the destination domain using the SNI extension in theClient Hello message. If the destination is not specified by the clientdevice 410 (e.g., the client device 410 does not support SNI), then thesecure session server 420 matches the destination IP address of theclient-hello message sent by the client device 410 with thecorresponding hostname (e.g., the secure session server 420 may includea mapping of IP addresses and hostnames). The secure session server 420may transmit the indication of the domain or zone name to the key server430 in a number of different ways including in a header, a custom binarystructure, or a serialization format (e.g., protobuf, JavaScript ObjectNotation (JSON), etc.). After receiving the indication of the domain orzone name in which the client is attempting to connect, the key server430 accesses the corresponding private key. In another embodiment, acertificate fingerprint or a hash of the modulus (for RSA) may be usedto identify the corresponding private key. For example, the securesession server 420 may generate a fingerprint over the certificateincluded in the Certificate message of operation 4.3 (e.g., a hash maybe generated over the certificate) and transmit that fingerprint valueto the key server 430. The key server 430 uses the same fingerprintalgorithm to generate a fingerprint over its digital certificates andmatches each to the corresponding private key. Upon receiving thefingerprint value from the secure session server 420, the key server 430matches that fingerprint value with one of the fingerprint values itgenerated over the public certificate (the same public certificateincluded in the Certificate message of operation 4.3) to lookup thecorresponding private key. As another example, the secure session server420 may hash the modulus of the public key included in the certificateof the Certificate message of operation 4.3 and transmit that hash valueto the key server 430. The key server 430 uses the same hash algorithmto generate a hash value over the modulus over its stored public keysand matches each to the corresponding private key. Upon receiving thehash value from the secure session server 420, the key server 430matches that hash value with one of the hash values it generated tolookup the corresponding private key.

At operation 4.6, the secure session server 420 transmits the Server KeyExchange message to the client device 410, which includes the signedcryptographic parameters. The secure session server 420 also transmits aServer Hello Done message to the client device 410 at operation 4.7 thatindicates that the hello-message phase of the handshake is complete.

The client device 410 authenticates the information in the Server KeyExchange message using the corresponding public key (e.g., the publickey received in the Certificate message transmitted in operation 4.3).Assuming that the information is authenticated, the client device 410generates the premaster secret using that information. The clienttransmits the Client Key Exchange message in operation 4.8.

Unlike the Client Key Exchange message of FIG. 1, this Client KeyExchange message transmitted in operation 4.8 does not include thepremaster secret. Rather, this Client Key Exchange message includes theinformation necessary for the server (the secure session server 420) togenerate the same premaster secret (e.g., it includes the client'sDiffie-Hellman public value). For example, in an embodiment where thesecure session server 420 generates the Diffie-Hellman cryptographicparameters, the secure session server 420 generates the premaster secretusing the client's Diffie-Hellman public value (received in the ClientKey Exchange message) and its Diffie-Hellman private value.

The secure session server 420 uses the premaster secret to calculate themaster secret. The client device 410 and the secure session server 420use the same algorithm and data to calculate the same master secret. Byway of example, the master secret is calculated using a pseudorandomfunction that takes as input the premaster secret, theClientHello.random value, and the ServerHello.random value. The mastersecret is used by the client device 410 and the secure session server420 to generate session keys that are used to encrypt and decryptinformation during the secure session. By way of a specific example, themaster secret is used to generate a client write Message AuthenticationCode (MAC) key, a server write MAC key, a client write encryption key,and a server write encryption key. A client write Initialization Vector(IV) and a server write IV may also be generated depending on the cipherused.

At operation 4.9, the client device 410 transmits a Change Cipher Specmessage to the secure session server 420. The Change Cipher Spec messagefrom the client device 410 indicates that future messages transmitted bythe client device 410 will be encrypted. At operation 4.10, the clientdevice 410 transmits a Finished message to the secure session server420. The Finished message is encrypted using the generated session keys.By way of example, the Finished message includes an encrypted hash ofall of the messages in the handshake previously sent and received.

At operation 4.11, the secure session server 420 transmits a ChangeCipher Spec message to the client device 410 that indicates that futuremessages transmitted by the secure session server 420 will be encrypted.At operation 4.12, the secure session server 420 transmits a Finishedmessage to the client device 410. The Finished message may include anencrypted hash of all of the messages in the handshake previously sentand received.

After the Finished message of operation 4.12, the handshake is completeand the secure session 460 is considered to be established. At operation4.13, future messages during the session between the client device 410and secure session server 420 are encrypted over the secure session 460,which carry the application data of the connection.

As described above, the connection between the secure session server 420and the key server 430 may be a secure connection. As described above, asecure session (e.g., SSL or TLS) may be established between the securesession server 420 and the key server 430. As part of establishing thesecure session, the key server 430 may request a client certificate fromthe secure session server 420 and the secure session server 420 maytransmit a client Certificate message that includes its certificate tothe key server 430. The data in the client Certificate message is usedby the key server 430 to authenticate the identity of the secure sessionserver 420.

In some embodiments, the key server 430 may use IP address blocking toaccept connections (such as from the secure session server 420) fromonly certain IP addresses. For example, the key server 430 may have awhitelist of IP address(es) and/or IP address range(s) that are allowedto connect to the key server 430 or have a blacklist of IP address(es)and/or IP address range(s) that are not allowed to connect to the keyserver 430. IP address blocking may also be used at one or moreintermediary network devices between the secure session server 420 andthe key server 430.

Although a secure session has been described between the secure sessionserver 420 and the key server 430 that is initiated by the securesession server 420, in other embodiments the secure session can beinitiated by the key server 430.

In some embodiments, the messages transmitted by the secure sessionserver 420 to the key server 430 are signed with a private key that isknown only to the secure session server 420. In such embodiments, thekey server 430 verifies the validity of the signature of a message priorto acting on that message. By way of example, the message that includesthe request to sign the server key exchange parameters of operation 4.4may be signed with a private key known only to the secure session server420. The key server 430 verifies whether the signature is valid usingthe corresponding public key and will only continue with the operationsif the signature is valid.

A combination of the security techniques described may be used. Forexample, a combination of requiring a client Certificate, IP addressblocking, and signing the messages transmitted by the secure sessionserver with a private key known only to the secure session server may beused to provide security for the connection between the secure sessionserver 420 and the key server 430.

In one embodiment, the secure connection 455 between the secure sessionserver 420 and the key server 430 may be a Virtual Private Network (VPN)connection, which may be desirable in a firewalled environment.

FIG. 5 is a flow diagram that illustrates exemplary operations forestablishing a secure session implemented with public-key cryptographybetween a client device and a secure session server where the securesession server does not have access to the private key used during thesecure session handshake according to one embodiment.

At operation 510, the secure session server receives a message from theclient device that initiates a procedure to establish a secure sessionwith the client device. For example, the secure session server mayreceive a Client Hello message from the client device (e.g., an SSL orTLS Client Hello message). Depending on the protocol and capabilities ofthe client device, the message may indicate the destination host name inwhich the client device wishes to establish a secure session (e.g., theClient Hello message may include the Server Name Indication (SNI)extension and specify the destination host name).

In response to receiving the message in operation 510, the securesession server may perform a number of operations, includingtransmitting a digital certificate to the client device at operation515. The digital certificate includes a public key for the requesteddomain. It should be understood that the private key that corresponds tothe public key is not stored on the secure session server (e.g., it isstored remotely on a key server). The digital certificate may betransmitted in an SSL or TLS Certificate message. Prior to transmittingthe digital certificate, the secure session server may perform a numberof other operations including transmitting a Server Hello message to theclient device. If the message in operation 510 indicates the destinationdomain, the secure session server transmits the digital certificatebound to that destination domain. If the message in operation 510 doesnot indicate the destination host name, the secure session servertransmits the digital certificate that is associated with thedestination IP address of the message in operation 510, which is boundto the requested domain. Flow moves from operation 515 to operation 520.

In the embodiment of FIG. 5, the secure session server has selected acipher suite that has a key exchange in which the certificate messagetransmitted by the secure session server does not include enough data toallow the client device to generate a premaster secret. For example, theselected cipher suite may use Diffie-Hellman as the key exchangemechanism (e.g., DHE_RSA, DHE_DSS, ECDHE_ECDSA, or ECDHE_RSA).

At operation 520, the secure session server generates a set ofcryptographic parameters used for generating the premaster secret forthe selected key exchange message. By way of a specific example wherethe key exchange mechanism is Diffie-Hellman such as DHE_DSS or DHE_RSA,the cryptographic parameters may include the following: the primemodulus used for the Diffie-Hellman operation (p), the generator usedfor the Diffie-Hellman operation (g), and a Diffie-Hellman public valueof the secure session server (ĝX mod p, where X is the Diffie-Hellmanprivate value selected by the secure session server). As anotherspecific example where the key exchange mechanism is Ephemeral EllipticCurve Diffie-Hellman (ECDHE) such as ECDHE_ECDSA or ECDHE_RSA, thecryptographic parameters include the Ephemeral ECDH public key and aspecification of the corresponding curve (the corresponding ellipticcurve domain parameters) (e.g., as defined in RFC 4492). Flow moves fromoperation 520 to operation 525.

The set of cryptographic parameters will be included in a message to betransmitted to the client device. Depending on the selected ciphersuite, these cryptographic parameters may be required to be signed(e.g., with the private key that corresponds to the public key for therequested domain). The secure session server does not have local accessto the private key (e.g., it is stored on a key server that is locatedremotely from the secure session server). At operation 525, the securesession server transmits a request to a key server to sign the set ofcryptographic parameters with a private key that corresponds to thepublic key for the requested domain. In addition to the cryptographicparameters, the request may also include one or more random values thatare also signed (e.g., the ClientHello.random and ServerHello.randomvalues). The signed set of cryptographic parameters and other randomvalues will be included in a message to the client device in which theclient device authenticates. Flow moves from operation 525 to operation530.

FIG. 6 is a flow diagram that illustrates exemplary operations performedby a key server in response to receiving a request to sign cryptographicparameters from a secure session server according to one embodiment. Atoperation 610, the key server receives a request to sign cryptographicparameters from a secure session server. For example, the key serverreceives the request transmitted by the secure session server inoperation 525 of FIG. 5.

Flow then moves to operation 615 where the key server accesses a privatekey that corresponds with the public key for the requested domain. Thekey server may receive an indication from the secure session server ofthe domain or zone name in which the client device is attempting toestablish a secure session for. This indication may be transmitted in anumber of different ways including in a header, a custom binarystructure, or a serialization format (e.g., protobuf, JavaScript ObjectNotation (JSON), etc.). The key server uses this indication to accessthe private key that corresponds with the public key for the requesteddomain. Flow then moves to operation 620.

At operation 620, the key server signs the cryptographic parametersusing the accessed private key. Flow then moves to operation 625 wherethe key server transmits the signed cryptographic parameters to thesecure session server.

The key server may transmit the signed cryptographic parameters over asecure session. As part of establishing the secure session between thekey server and the secure session server, the key server may request aclient certificate from the secure session server in order toauthenticate the identity of the secure session server. In someembodiments, the key server may use IP address based blocking to verifythat the key server is communicating with a legitimate secure sessionserver (e.g., by verifying that the secure session server iscommunicating with an IP address having a value that is expected by thekey server). In some embodiments, the connection between the key serverand the secure session server is a Virtual Private Network (VPN)connection. In some embodiments, the messages transmitted by the securesession server to the key server are signed with a private key that isknown only to the secure session server. In such embodiments, the keyserver verifies the validity of the signature of a message prior toacting on that message. In some embodiments, any combination of thesesecurity techniques may be used.

Referring back to FIG. 5, at operation 530, the secure session serverreceives, from the key server, a message with the signed set ofcryptographic parameters. Flow then moves to operation 535 where thesecure session server transmits the signed set of cryptographicparameters to the client device. The signed set of cryptographicparameters may be transmitted to the client in a Server Key Exchangemessage. Flow moves from operation 535 to operation 540.

The client device will authenticate the information in the message(e.g., authenticate the signature) using the public key previouslyreceived from the server. Assuming that it is authenticated, the clientdevice will generate the premaster secret using in part thatinformation. The client device, however, does not communicate thepremaster secret to the secure session server in this embodiment.Rather, it communicates the information necessary for the secure sessionserver to generate the same premaster secret. For example, the clientdevice transmits its Diffie-Hellman public value (generated in part fromthe set of cryptographic parameters received from the secure sessionserver) to the secure session server. Thus, at operation 540, the securesession server receives a public value generated by the client devicebased in part on the cryptographic parameters (e.g., the client device'sDiffie-Hellman public value). Flow moves from operation 540 to operation545.

At operation 545, the secure session server generates the premastersecret (which should be the same premaster secret as generated by theclient device) using the received public value and at least some of thecryptographic parameters. By way of a specific example, the securesession server generates the premaster secret by computing ŷX mod p,where y is the public value of the client device, X is the private valueof the secure session server, and p is the prime modulus value.

Flow moves from operation 545 to operation 550, where the secure sessionserver generates a master secret using the premaster secret. The clientdevice also generates the same master secret. Flow then moves tooperation 555, where the secure session server generates a set ofsession keys to be used in the secure session when encrypting anddecrypting information. By way of a specific example, the master secretis used to generate a client write Message Authentication Code (MAC)key, a server write MAC key, a client write encryption key, and a serverwrite encryption key. A client write Initialization Vector (IV) and aserver write IV may also be generated depending on the cipher used.

Flow moves from operation 555 to operation 560 where the secure sessionserver completes the handshake with the client device and establishes asecure session with the client device. For example, the client deviceand secure session server each may transmit a Change Cipher Spec messageand a Finished message, as previously described herein. While the securesession is in operation, the client device and secure session server mayexchange data securely.

FIG. 7 illustrates another embodiment for establishing a secure sessionbetween a client device and a secure session server where the securesession server does not have access to the private key used during thesecure session handshake. Similar to the embodiment described in FIG. 4,the embodiment described in FIG. 7 describes the messages where thecipher suite chosen requires the use of a Server Key Exchange message(e.g., a Diffie-Hellman cipher suite is used such as DHE_RSA, DHE_DSS,ECDHE_RSA, or ECDHE_ECDSA). Unlike the embodiment described in FIG. 4,however, in the embodiment of FIG. 7, the key server generates thecryptographic parameters used during the key exchange. The client device710 (including the client network application 715) is similar to theclient device 110 of FIG. 1. The secure session server 720, includingthe secure session module 740 and the certificate(s) 745, are similar tothe secure session server 120 (including the secure session module 140and the certificate(s) 145), but perform different operations as will bedescribed below. The key server 730 is similar to the key server 130 ofFIG. 1, but performs different operations as will be described below.

At operation 7.1, the client device 710 transmits a Client Hello messageto the secure session server 720. This Client Hello message is similarto the Client Hello message described in operation 1.1 of FIG. 1. Inresponse to the Client Hello message, at operation 7.2 the securesession server 720 transmits a Server Hello message to the client device710. This Server Hello message is similar to the Server Hello messagedescribed in operation 1.2 of FIG. 1. The secure session server 720 alsotransmits a Certificate message to the client device 710 at operation7.3 (a server Certificate). This Certificate message is similar to theCertificate message described in operation 1.3 of FIG. 1, but it doesnot include enough data to allow the client device 710 to generate thepremaster secret.

Although not illustrated in FIG. 7, the secure session server 720 hasselected a cipher suite that has a key exchange in which the certificatemessage transmitted in operation 7.3 does not include enough data toallow the client device 710 to generate a premaster secret. For example,the selected cipher suite may use Diffie-Hellman as the key exchangemechanism (e.g., DHE_RSA, DHE_DSS, ECDHE_ECDSA, or ECDHE_RSA). Becauseof this, the secure session server 720 will transmit a message to theclient device 710 that conveys cryptographic information to allow theclient device 710 and the secure session server 720 to each generate thesame premaster secret. By way of a specific example where the keyexchange mechanism is Diffie-Hellman such as DHE_DSS or DHE_RSA, thecryptographic information includes a set of cryptographic parametersthat may include the following: the prime modulus used for theDiffie-Hellman operation (p), the generator used for the Diffie-Hellmanoperation (g), and a Diffie-Hellman public value of the server (ĝX modp, where X is the Diffie-Hellman private value of the server). Asanother specific example where the key exchange mechanism is ECDHE suchas ECDHE_ECDSA or ECDHE_RSA, the cryptographic parameters include theEphemeral ECDH public key and a specification of the corresponding curve(the corresponding elliptic curve domain parameters) (e.g., as definedin RFC 4492). The message that conveys the cryptographic information isreferred to as a Server Key Exchange message. The cryptographicinformation of the Server Key Exchange message may need to be signedwith the private key 750 corresponding to the public key of the servertransmitted in the Certificate message transmitted in operation 7.3(e.g., if the key exchange mechanism is DHE_RSA, DHE_DSS, ECDHE_RSA, orECDHE_ECDSA). For example, private key 750 may be used to sign the setof cryptographic parameters, the ClientHello.random value, and theServerHello.random value. As similarly described with respect to theembodiment discussed in FIG. 1, the secure session server 720 does nothave local access to this private key 750. As a result, the securesession server 720 cannot sign the Server Key Exchange message with thisprivate key 750.

At operation 7.4 the secure session server 720 transmits a request tothe key server 730 to generate and sign the cryptographic parameters tobe used in the Server Key Exchange message. The key server 730 generatesthe cryptographic parameters (the secure session server 420 may transmitany other required information such as the ClientHello.random andServerHello.random values that may be used when signing) and signs theresult using the private key 750. In this embodiment, the private key750 is typically an RSA key if the key exchange mechanism is DHE_RSA orECDHE_RSA, and is typically a DSA key if the key exchange mechanism isDHE_DSS or an ECDSA key if the key exchange mechanism is ECDHE_ECDSA.

At operation 7.5, the key server 730 transmits the signed server keyexchange parameters back to the secure session server 720. The securesession server 720 uses the signed parameters in the Server Key Exchangemessage transmitted to the client device 710 at operation 7.6. Thesecure session server 720 also transmits a Server Hello Done message tothe client device 710 that indicates that the hello-message phase of thehandshake is complete at operation 7.7.

In one embodiment, the key server 730 stores or has access to privatekeys for multiple domains and/or zones, which may be owned or controlledby different entities. For example, the key server 730 may store or haveaccess to the private key for example.com and example2.com. In such anembodiment, the secure session server 720 indicates the domain or zonein which the client device 710 is requesting a connection. For example,if the client device 410 is requesting a secure session withexample.com, then the secure session server 720 indicates to the keyserver 730 that example.com is the requested domain. The client device710 may specify the destination domain using the SNI extension in theClient Hello message. If the destination is not specified by the clientdevice 710 (e.g., the client device 710 does not support SNI), then thesecure session server 720 matches the destination IP address of theclient-hello message sent by the client device 710 with thecorresponding hostname (e.g., the secure session server 720 may includea mapping of IP addresses and hostnames). The secure session server 720may transmit the indication of the domain or zone name to the key server730 in a number of different ways including in a header, a custom binarystructure, or a serialization format (e.g., protobuf, JavaScript ObjectNotation (JSON), etc.). After receiving the indication of the domain orzone name in which the client is attempting to connect, the key server730 accesses the corresponding private key. In another embodiment, acertificate fingerprint or a hash of the modulus (for RSA) may be usedto identify the corresponding private key. For example, the securesession server 720 may generate a fingerprint over the certificateincluded in the Certificate message of operation 7.3 (e.g., a hash maybe generated over the certificate) and transmit that fingerprint valueto the key server 730. The key server 730 uses the same fingerprintalgorithm to generate a fingerprint over its digital certificates andmatches each to the corresponding private key. Upon receiving thefingerprint value from the secure session server 720, the key server 730matches that fingerprint value with one of the fingerprint values itgenerated over the public certificate (the same public certificateincluded in the Certificate message of operation 7.3) to lookup thecorresponding private key. As another example, the secure session server720 may hash the modulus of the public key included in the certificateof the Certificate message of operation 74.3 and transmit that hashvalue to the key server 730. The key server 730 uses the same hashalgorithm to generate a hash value over the modulus over its storedpublic keys and matches each to the corresponding private key. Uponreceiving the hash value from the secure session server 720, the keyserver 730 matches that hash value with one of the hash values itgenerated to lookup the corresponding private key.

The client device 710 authenticates the information in the Server KeyExchange message using the corresponding public key (e.g., the publickey received in the Certificate message transmitted in operation 7.3).Assuming that the information is authenticated, the client device 710generates the premaster secret using that information. The clienttransmits the Client Key Exchange message in operation 7.8.

This Client Key Exchange message includes the information necessary forthe key server 730 to generate the same premaster secret (e.g., itincludes the client's Diffie-Hellman public value). The secure sessionserver 720 transmits a request to the key server 730 to generate thepremaster secret using the client's public value at operation 7.9. Thekey server 730 generates the premaster secret using the client's publicvalue and transmits the premaster secret to the secure session server720 at operation 7.10.

The secure session server 720 uses the premaster secret to calculate themaster secret. The client device 710 and the secure session server 720use the same algorithm and data to calculate the same master secret. Byway of example, the master secret is calculated using a pseudorandomfunction that takes as input the premaster secret, theClientHello.random value, and the ServerHello.random value. The mastersecret is used by the client device 710 and the secure session server720 to generate session keys that are used to encrypt and decryptinformation during the secure session. By way of a specific example, themaster secret is used to generate a client write Message AuthenticationCode (MAC) key, a server write MAC key, a client write encryption key,and a server write encryption key. A client write Initialization Vector(IV) and a server write IV may also be generated depending on the cipherused.

At operation 7.11, the client device 710 transmits a Change Cipher Specmessage to the secure session server 720. The Change Cipher Spec messagefrom the client device 710 indicates that future messages transmitted bythe client device 710 will be encrypted. At operation 7.12, the clientdevice 710 transmits a Finished message to the secure session server720. The Finished message is encrypted using the generated session keys.By way of example, the Finished message includes an encrypted hash ofall of the messages in the handshake previously sent and received.

At operation 7.13, the secure session server 720 transmits a ChangeCipher Spec message to the client device 710 that indicates that futuremessages transmitted by the secure session server 720 will be encrypted.At operation 7.14, the secure session server 720 transmits a Finishedmessage to the client device 710. The Finished message may include anencrypted hash of all of the messages in the handshake previously sentand received.

After the Finished message of operation 7.14, the handshake is completeand the secure session 760 is considered to be established. At operation7.15 future messages during the session between the client device 110and secure session server 120 are encrypted over the secure session 760,which carry the application data of the connection.

In one embodiment, the messages transmitted in operations 7.4, 7.5, 7.9,and 7.10 are transmitted over a secure connection 755 (e.g., encryptedusing SSL or TLS, or other mechanisms) and/or are otherwise encrypted.

As described above, a secure session (e.g., SSL or TLS) may beestablished between the secure session server 720 and the key server730. As part of establishing the secure session, the key server 730 mayrequest a client certificate from the secure session server 720 and thesecure session server 720 may transmit a client Certificate message thatincludes its certificate to the key server 730. The data in the clientCertificate message is used by the key server 730 to authenticate theidentity of the secure session server 720.

In some embodiments, the key server 730 may use IP address blocking toaccept connections (such as from the secure session server 720) fromonly certain IP addresses. For example, the key server 730 may have awhitelist of IP address(es) and/or IP address range(s) that are allowedto connect to the key server 730 or have a blacklist of IP address(es)and/or IP address range(s) that are not allowed to connect to the keyserver 730. IP address blocking may also be used at one or moreintermediary network devices between the secure session server 720 andthe key server 730.

Although a secure session has been described between the secure sessionserver 720 and the key server 730 that is initiated by the securesession server 720, in other embodiments the secure session can beinitiated by the key server 730.

In some embodiments, the messages transmitted by the secure sessionserver 720 to the key server 730 are signed with a private key that isknown only to the secure session server 720. In such embodiments, thekey server 730 verifies the validity of the signature of a message priorto acting on that message. By way of example, the message that includesthe request to sign the server key exchange parameters of operation 7.4may be signed with a private key known only to the secure session server720. The key server 730 verifies whether the signature is valid usingthe corresponding public key and will only continue with the operationsif the signature is valid.

A combination of the security techniques described may be used. Forexample, a combination of requiring a client Certificate, IP addressblocking, and signing the messages transmitted by the secure sessionserver with a private key known only to the secure session server may beused to provide security for the connection between the secure sessionserver 720 and the key server 730.

In one embodiment, the secure connection 755 between the secure sessionserver 720 and the key server 730 may be a Virtual Private Network (VPN)connection, which may be desirable in a firewalled environment.

FIG. 8 is a flow diagram that illustrates exemplary operations forestablishing a secure session implemented with public-key cryptographybetween a client device and a secure session server where the securesession server does not have access to the private key used during thesecure session handshake according to another embodiment. At operation810, the secure session server receives a message from the client devicethat initiates a procedure to establish a secure session with the clientdevice. For example, the secure session server may receive a ClientHello message from the client device (e.g., an SSL or TLS Client Hellomessage). Depending on the protocol and capabilities of the clientdevice, the message may indicate the destination host name in which theclient device wishes to establish a secure session (e.g., the ClientHello message may include the Server Name Indication (SNI) extension andspecify the destination host name).

In response to receiving the message in operation 810, the securesession server may perform a number of operations, includingtransmitting a digital certificate to the client device at operation815. The digital certificate includes a public key for the requesteddomain. It should be understood that the private key that corresponds tothe public key is not stored on the secure session server (e.g., it isstored remotely on a key server). The digital certificate may betransmitted in an SSL or TLS Certificate message. Prior to transmittingthe digital certificate, the secure session server may perform a numberof other operations including transmitting a Server Hello message to theclient device. If the message in operation 810 indicates the destinationdomain, the secure session server transmits the digital certificatebound to that destination domain. If the message in operation 810 doesnot indicate the destination host name, the secure session servertransmits the digital certificate that is associated with thedestination IP address of the message in operation 810, which is boundto the requested domain. Flow moves from operation 815 to operation 820.

In the embodiment of FIG. 8, the secure session server has selected acipher suite that has a key exchange in which the certificate messagetransmitted by the secure session server does not include enough data toallow the client device to generate a premaster secret. For example, theselected cipher suite may use Diffie-Hellman as the key exchangemechanism (e.g., DHE_RSA, DHE_DSS, ECDHE_ECDSA, or ECDHE_RSA).

In contrast to the embodiment described with reference to FIG. 5, thesecure session server does not generate the set of cryptographicparameters used for generating the premaster secret. Instead, the keyserver generates these cryptographic parameters. At operation 820, thesecure session server transmits a request to generate and sign a set ofcryptographic parameters used for generating the premaster secret to thekey server. The request may also include one or more random values thatwill also be signed (e.g., the ClientHello.random and ServerHello.randomvalues). Flow moves from operation 820 to operation 825.

FIG. 9 is a flow diagram that illustrates exemplary operations performedby a key server according to one embodiment. At operation 910, the keyserver receives a request from a secure session server to generate andsign cryptographic parameters to be used during generating the premastersecret. For example, the key server receives the request transmitted bythe secure session server in operation 820 of FIG. 8. Flow then moves tooperation 915 where the key server generates the cryptographicparameters used for generating the premaster secret. By way of aspecific example where the key exchange mechanism is Diffie-Hellman suchas DHE_DSS or DHE_RSA, the cryptographic parameters may include thefollowing: the prime modulus used for the Diffie-Hellman operation (p),the generator used for the Diffie-Hellman operation (g), and aDiffie-Hellman public value of the key server (ĝX mod p, where X is theDiffie-Hellman private value selected by the key server). As anotherspecific example where the key exchange mechanism is ECDHE such asECDHE_ECDSA or ECDHE_RSA, the cryptographic parameters include theEphemeral ECDH public key and a specification of the corresponding curve(the corresponding elliptic curve domain parameters) (e.g., as definedin RFC 4492). Flow moves from operation 915 to operation 920.

At operation 920, the key server accesses a private key that correspondswith the public key for the requested domain. The key server may receivean indication from the secure session server of the domain or zone namein which the client device is attempting to establish a secure sessionfor. This indication may be transmitted in a number of different waysincluding in a header, a custom binary structure, or a serializationformat (e.g., protobuf, JavaScript Object Notation (JSON), etc.). Thekey server uses this indication to access the private key thatcorresponds with the public key for the requested domain. Flow thenmoves to operation 925.

At operation 925, the key server signs the cryptographic parametersusing the accessed private key. Flow then moves to operation 930 wherethe key server transmits the signed cryptographic parameters to thesecure session server.

Referring back to FIG. 8, at operation 825, the secure session serverreceives a message with the signed set of cryptographic parameters fromthe key server. Flow then moves to operation 830 where the securesession server transmits the signed set of cryptographic parameters tothe client device. The signed set of cryptographic parameters may betransmitted to the client in a Server Key Exchange message. Flow movesfrom operation 830 to operation 835.

The client device will authenticate the information in the message(e.g., authenticate the signature) using the public key previouslyreceived from the server. Assuming that it is authenticated, the clientdevice will generate the premaster secret using in part thatinformation. The client device, however, does not communicate thepremaster secret to the secure session server in this embodiment.Rather, it communicates the information necessary for the secure sessionserver to generate the same premaster secret. For example, the clientdevice transmits its Diffie-Hellman public value (generated in part fromthe set of cryptographic parameters received from the secure sessionserver) to the secure session server. Thus, at operation 835, the securesession server receives a public value generated by the client devicebased in part on the cryptographic parameters (e.g., the client device'sDiffie-Hellman public value). Flow moves from operation 835 to operation840.

At operation 840, the secure session server transmits a request to thekey server to generate the premaster secret. This request includes thepublic value received from the client device.

Referring back to FIG. 9, the key server receives the request togenerate the premaster secret in operation 935. Flow then moves tooperation 940 and the key server generates the premaster secret usingthe received public value and at least some of the generatedcryptographic parameters. For example, the key server generates thepremaster secret by computing ŷX mod p, where y is the public value ofthe client device, X is the private value of the key server, and p isthe prime modulus value. Flow then moves to operation 945 where the keyserver transmits the premaster secret to the secure session server.

Referring back to FIG. 8, at operation 845, the secure session serverreceives the premaster secret from the key server. Flow then moves tooperation 850 and the secure session server generates a master secretusing the premaster secret. The client device also generates the samemaster secret. Flow then moves to operation 855, where the securesession server generates a set of session keys to be used in the securesession when encrypting and decrypting information. By way of a specificexample, the master secret is used to generate a client write MessageAuthentication Code (MAC) key, a server write MAC key, a client writeencryption key, and a server write encryption key. A client writeInitialization Vector (IV) and a server write IV may also be generateddepending on the cipher used.

Flow moves from operation 855 to operation 860 where the secure sessionserver completes the handshake with the client device and establishes asecure session with the client device. For example, the client deviceand secure session server each may transmit a Change Cipher Spec messageand a Finished message, as previously described herein. While the securesession is in operation, the client device and secure session server mayexchange data securely.

The key server may transmit the signed cryptographic parameters and/orthe premaster secret over a secure session. As part of establishing thesecure session between the key server and the secure session server, thekey server may request a client certificate from the secure sessionserver in order to authenticate the identity of the secure sessionserver. In some embodiments, the key server may use IP address basedblocking to verify that the key server is communicating with alegitimate secure session server (e.g., by verifying that the securesession server is communicating with an IP address having a value thatis expected by the key server). In some embodiments, the connectionbetween the key server and the secure session server is a VPNconnection. In some embodiments, the messages transmitted by the securesession server to the key server are signed with a private key that isknown only to the secure session server. In such embodiments, the keyserver verifies the validity of the signature of a message prior toacting on that message. In some embodiments, any combination of thesesecurity techniques may be used.

In another embodiment, the secure session server may request the keyserver to generate and sign the cryptographic parameters necessary togenerate the premaster secret and may also request and receive the keyserver's chosen private value used to generate the premaster secret. Insuch an embodiment, the secure session server can generate the premastersecret using the client device's Diffie-Hellman public value and theDiffie-Hellman private value chosen by the key server.

In another embodiment that is similar to the embodiment described withreference to FIG. 7, the key server also generates the master secret inaddition to generating the premaster secret. In such an embodiment, thesecure session server also transmits to the key server other informationthat may be necessary to generate the master secret in addition to thepremaster secret such as the client's Diffie-Hellman public value (usedto generate the premaster secret), the ClientHello.random value(included in the Client Hello message of operation 7.1), and theServerHello.random value (included in the Server Hello message ofoperation 7.2) if not already transmitted to the key server. By way ofexample, the master secret is calculated using a pseudorandom functionthat takes at least as input the premaster secret, theClientHello.random value, and the ServerHello.random value. In such anembodiment, the key server may transmit the generated master secret tothe secure session server which will proceed with the rest of thehandshake without being required to generate the master secret.

In another embodiment that is similar to the embodiment described withreference to FIG. 7, the key server generates the master secret andgenerates the session keys that will be used in the secure sessionbetween the client device and the secure session server in addition togenerating the premaster secret. In such an embodiment, the securesession server also transmits to the key server any necessaryinformation to the key server to generate the master secret and thesession keys in addition to generating the premaster secret. Forexample, this information may include the client's Diffie-Hellman publicvalue (which the key server uses to generate the premaster secret), theClientHello.random value, the ServerHello.random value, and anindication of the negotiated cipher suite (e.g., the information mayspecify the negotiated cipher suite that defines the cipherspecification (the key server may look up the parameters of the cipherspecification) or may specify parameters of the negotiated cipher suitefor generating the session keys including information identifying thepseudorandom function (PRF) algorithm, encrypted key length, fixed IVlength, and MAC key length) if they are not already transmitted to thekey server.

The key server generates the premaster secret and the master secret aspreviously described herein. The session keys may be generated using thePRF that takes as input the master secret, the ClientHello.random value,the ServerHello.random value, and a label (e.g., a Key Expansion label)to generate a key block that is partitioned into the client write MACkey, server write MAC key, client write encryption key, and server writeencryption key. The key server transmits the session keys to the securesession server for use in the secure session between the client deviceand the secure session server. The key server may also transmit themaster secret to the secure session server for use verifying that thekey exchange was successful and also for resuming sessions.

FIG. 10 illustrates exemplary messages for establishing a secure sessionusing public-key cryptography between a client device 1010 and a securesession server 1020 where the secure session server 1020 does not haveaccess to the private key used during the secure session handshakeaccording to another embodiment. The embodiment described with referenceto FIG. 10 is similar to the embodiment described with reference to FIG.1 with the exception that in addition to transmitting the encryptedpremaster secret to the key server, the secure session server 1020 alsotransmits the ClientHello.random value and the ServerHello.random valueto the key server 1030, and the key server 1030 decrypts the encryptedpremaster secret and generates the master secret.

The client device 1010 (including the client network application 1015)is similar to the client device 110 of FIG. 1. The secure session server1020, including the secure session module 1040 and the certificate(s)1045, are similar to the secure session server 120 (including the securesession module 140 and the certificate(s) 145), but perform differentoperations as will be described below. The key server 1030 is similar tothe key server 130 of FIG. 1, but performs different operations as willbe described below.

At operation 10.1, the client device 1010 transmits a Client Hellomessage to the secure session server 1020. This Client Hello message issimilar to the Client Hello message described in operation 1.1 of FIG. 1and transmitted to the secure session server 1020 for similar reasons.The Client Hello message includes, among other data, aClientHello.random value.

In response to the Client Hello message, at operation 10.2 the securesession server 1020 transmits a Server Hello message to the clientdevice 1010. This Server Hello message is similar to the Server Hellomessage described in operation 1.2 of FIG. 1. The Server Hello messageincludes, among other data, a ServerHello.random value.

The secure session server 1020 also transmits a Certificate message tothe client device 1010 at operation 10.3 (a server Certificate). ThisCertificate message is similar to the Certificate message described inoperation 1.3 of FIG. 1. The Certificate message includes a digitalcertificate for the requested domain. For example, if the requesteddomain is example.com, the Certificate message includes a digitalcertificate bound to example.com. The digital certificate includes,among other things, a public key. The secure session server 1020 doesnot store the private key that corresponds with the public key includedin the certificate.

At operation 10.4, the secure session server 1020 transmits a ServerHello Done message to the client device 1010 that indicates that thehello-message phase of the handshake is complete.

At operation 10.5, the client device 1010 transmits a Client KeyExchange message to the secure session server 1020. The Client KeyExchange message includes a random value called a premaster secret thathas been encrypted using the public key included in the Certificatemessage of operation 10.3. By way of a specific example, if the RSAalgorithm is being used for key agreement and authentication, the clientdevice 1010 generates a 48-byte value for the premaster secret andencrypts it using the public key from the server's certificate andtransmits the encrypted premaster secret to the secure session server1020. As will be described below, the decrypted premaster secret is usedto generate a shared secret between the client device 1010 and thesecure session 1020 (called the master secret), which is then used whengenerating the encryption and decryption keys used to encrypt anddecrypt data transmitted during the secure session. It should beunderstood that if the encrypted premaster secret cannot be decrypted,then the handshake will fail and the secure session will not beestablished.

The secure session server 1020 does not have the private key to decryptthe premaster secret. However, the private key is stored on the keyserver 1030 (as one of the private key(s) 1050). Although FIG. 10illustrates the key server 1030 storing the private keys, in otherembodiments the key server 1030 has access to the private keys but thoseprivate keys are stored on a different device.

At operation 10.6, the secure session server 1020 transmits theencrypted premaster secret to the key server 1030. In addition to theencrypted premaster secret, the secure session server 1020 alsotransmits the ClientHello.random value and the ServerHello.random valueto the key server 1030 in operation 10.6.

The key server 1030 decrypts the encrypted premaster secret using theappropriate private key for the requested domain. The key server 1030uses the decrypted premaster secret to calculate the master secret. Theclient device 1010 and the key server 1030 use the same algorithm anddata to calculate the same master secret. By way of example, the mastersecret is calculated using a pseudorandom function that takes as inputthe premaster secret, the ClientHello.random value, and theServerHello.random value.

After generating the master secret, the key server 1030 transmits themaster secret to the secure session server 1020 at operation 10.7. Inone embodiment, the messages of operations 10.6 and 10.7 are transmittedover a secure connection 1055 (e.g., encrypted using SSL or TLS, orother mechanisms) and/or the encrypted premaster secret and thedecrypted premaster secret are otherwise encrypted.

In one embodiment, the key server 1030 stores or has access to privatekeys for multiple domains and/or zones, which may be owned or controlledby different entities. For example, the key server 1030 may store orhave access to the private key for example.com and example2.com, whichmay be owned or controlled by different entities. In such an embodiment,in conjunction with transmitting the encrypted premaster secret to thekey server 1030, the secure session server 1020 indicates the domain orzone in which the client device 1010 is requesting a connection. Forexample, if the client device 1010 is requesting a secure session withexample.com, then the secure session server 1020 indicates to the keyserver 1030 that example.com is the requested domain. The client device1010 may specify the destination domain using the Server Name Indication(SNI) extension in the Client Hello message. SNI is described in RFC3546, June 2003. If the destination is not specified by the clientdevice 1010 (e.g., the client device 1010 does not support SNI), thenthe secure session server 1020 matches the destination IP address of theclient-hello message sent by the client device 1010 with thecorresponding hostname (e.g., the secure session server 1020 may includea mapping of IP addresses and hostnames). The secure session server 1020may transmit the indication of the domain or zone name to the key server1030 in a number of different ways including in a header, a custombinary structure, or a serialization format (e.g., protobuf, JavaScriptObject Notation (JSON), etc.). After receiving the indication of thedomain or zone name in which the client is attempting to connect, thekey server 1030 accesses the corresponding private key and decrypts theencrypted premaster secret. In another embodiment, a certificatefingerprint or a hash of the modulus (for RSA) may be used to identifythe corresponding private key. For example, the secure session server1020 may generate a fingerprint over the certificate included in theCertificate message of operation 10.3 (e.g., a hash may be generatedover the certificate) and transmit that fingerprint value to the keyserver 1030. The key server 1030 uses the same fingerprint algorithm togenerate a fingerprint over its digital certificates and matches each tothe corresponding private key. Upon receiving the fingerprint value fromthe secure session server 1020, the key server 1030 matches thatfingerprint value with one of the fingerprint values it generated overthe public certificate (the same public certificate included in theCertificate message of operation 10.3) to lookup the correspondingprivate key. As another example, the secure session server 1020 may hashthe modulus of the public key included in the certificate of theCertificate message of operation 10.3 and transmit that hash value tothe key server 1030. The key server 1030 uses the same hash algorithm togenerate a hash value over the modulus over its stored public keys andmatches each to the corresponding private key. Upon receiving the hashvalue from the secure session server 1020, the key server 1030 matchesthat hash value with one of the hash values it generated to lookup thecorresponding private key.

The master secret is used by the client device 1010 and the securesession server 1020 to generate session keys that are used to encryptand decrypt information during the secure session. By way of a specificexample, the master secret is used to generate a client write MessageAuthentication Code (MAC) key, a server write MAC key, a client writeencryption key, and a server write encryption key. A client writeInitialization Vector (IV) and a server write IV may also be generateddepending on the cipher used.

At operation 10.8, the client device 1010 transmits a Change Cipher Specmessage to the secure session server 1020. The Change Cipher Specmessage from the client device 1010 indicates that future messagestransmitted by the client device 1010 will be encrypted. At operation10.9, the client device 1010 transmits a Finished message to the securesession server 1020. The Finished message is encrypted using thegenerated session keys. By way of example, the Finished message includesan encrypted hash of all of the messages in the handshake previouslysent and received.

At operation 10.10, the secure session server 1020 transmits a ChangeCipher Spec message to the client device 1010 that indicates that futuremessages transmitted by the secure session server 1020 will beencrypted. At operation 10.11, the secure session server 1020 transmitsa Finished message to the client device 1010. The Finished message mayinclude an encrypted hash of all of the messages in the handshakepreviously sent and received.

After the Finished message of operation 10.11, the handshake is completeand the secure session 1060 is considered to be established. Atoperation 10.12, future messages of the secure session between theclient device 1010 and secure session server 1020 are encrypted over thesecure session 1060, which carry the application data of the connection.

As described above, the connection between the secure session server1020 and the key server 1030 may be a secure connection for securelytransmitting the decrypted premaster secret and optionally securelytransmitting the encrypted premaster secret. As described above, asecure session (e.g., SSL or TLS) may be established between the securesession server 1020 and the key server 1030. As part of establishing thesecure session, the key server 1030 may request a client certificatefrom the secure session server 1020 and the secure session server 1020may transmit a client Certificate message that includes its certificateto the key server 1030. The data in the client Certificate message isused by the key server 1030 to authenticate the identity of the securesession server 1020.

In some embodiments, the key server 1030 may use IP address blocking toaccept connections (such as from the secure session server 1020) fromonly certain IP addresses. For example, the key server 1030 may have awhitelist of IP address(es) and/or IP address range(s) that are allowedto connect to the key server 1030 or have a blacklist of IP address(es)and/or IP address range(s) that are not allowed to connect to the keyserver 1030. IP address blocking may also be used at one or moreintermediary network devices between the secure session server 1020 andthe key server 1030.

Although a secure session has been described between the secure sessionserver 1020 and the key server 1030 that is initiated by the securesession server 1020, in other embodiments the secure session can beinitiated by the key server 1030.

In some embodiments, the messages transmitted by the secure sessionserver 1020 to the key server 1030 are signed with a private key that isknown only to the secure session server 1020. In such embodiments, thekey server 1030 verifies the validity of the signature of a messageprior to acting on that message. By way of example, the message thatincludes the encrypted premaster secret at operation 10.6 may be signedwith a private key known only to the secure session server 1020. The keyserver 1030 verifies whether the signature is valid using thecorresponding public key and will only continue with the operations ifthe signature is valid.

A combination of the security techniques described may be used toprovide security for the decrypted premaster secret. For example, acombination of requiring a client Certificate, IP address blocking, andsigning the messages transmitted by the secure session server with aprivate key known only to the secure session server may be used toprovide security for the connection between the secure session server1020 and the key server 1030.

In one embodiment, the secure connection 1055 between the secure sessionserver 1020 and the key server 1030 may be a Virtual Private Network(VPN) connection, which may be desirable in a firewalled environment.

FIG. 11 is a flow diagram that illustrates exemplary operationsperformed on a secure session server for establishing a secure sessionimplemented with public-key cryptography between a client device and thesecure session server where the secure session server does not haveaccess to a private key for the requested domain according to anotherembodiment. The private key is stored remotely from the secure sessionserver (e.g., on a key server). The embodiment described with referenceto FIG. 11 is similar to the embodiment described with reference to FIG.2 with the exception that in addition to transmitting the encryptedpremaster secret to the key server, the secure session server alsotransmits the ClientHello.random value and the ServerHello.random valueto the key server and the key server decrypts the encrypted premastersecret and generates the master secret.

At operation 1110, the secure session server receives a message from theclient device that initiates a procedure to establish a secure sessionwith the client device. For example, the secure session server mayreceive a Client Hello message from the client device (e.g., an SSL orTLS Client Hello message). Depending on the protocol and capabilities ofthe client device, the message may indicate the destination host name inwhich the client device wishes to establish a secure session (e.g., theClient Hello message may include the Server Name Indication (SNI)extension and specify the destination host name). The message may alsoinclude random data used for cryptographic purposes (sometimes referredto as ClientHello.random), and may indicate whether and what type ofextensions (defined by the protocol) the client supports.

In response to receiving the message in operation 1110, the securesession server may perform a number of operations, includingtransmitting a digital certificate to the client device at operation1115. The digital certificate includes a public key for the requesteddomain. It should be understood that the private key that corresponds tothe public key is not stored on the secure session server (e.g., it isstored remotely on a key server). The digital certificate may betransmitted in an SSL or TLS Certificate message. Prior to transmittingthe digital certificate, the secure session server may perform a numberof other operations including transmitting a Server Hello message to theclient device which includes random data used for cryptographic purposesthat is different than the random data included in the ClientHellomessage (sometimes referred to as ServerHello.random) and may include alist of the extensions that the secure session server supports.

If the message in operation 1110 indicates the destination domain, thesecure session server transmits the digital certificate bound to thatdestination domain. If the message in operation 1110 does not indicatethe destination host name, the secure session server transmits thedigital certificate that is associated with the destination IP addressof the message in operation 1110, which is bound to the requesteddomain. Flow moves from operation 1115 to operation 1120.

At operation 1120, the secure session server receives from the clientdevice a premaster secret that has been encrypted using the public keyin the digital certificate transmitted in operation 1115. The encryptedpremaster secret may be sent by the client device in a SSL or TLS ClientKey Exchange message. Flow moves from operation 1120 to operation 1125.

The secure session server does not have the private key that correspondswith the public key that encrypted the premaster secret. As a result,the secure session server cannot decrypt the encrypted premaster secretto obtain the premaster secret. At operation 1125, the secure sessionserver transmits the encrypted premaster secret, the ClientHello.randomvalue, and the ServerHello.random value to a key server that has theprivate key that can decrypt the encrypted premaster secret.

In one embodiment, the key server is located remotely from the securesession server. Moreover, in some embodiments, the secure session serverand the key server may be owned and/or operated by different entities.For example, the secure session server may not be under physical controlof the owner of the requested domain while the key server is underphysical control of the owner of the requested domain. In oneembodiment, the encrypted premaster secret, the ClientHello.randomvalue, and the ServerHello.random value are transmitted to the keyserver over a secure connection (e.g., encrypted using SSL or TLS)and/or is otherwise encrypted. Flow moves from operation 1125 tooperation 1130.

In response to receiving the encrypted premaster secret, the key serverdecrypts the encrypted premaster secret to obtain the premaster secret.In addition, the key server generates the master secret using thepremaster secret, the ClientHello.random value, and theServerHello.random value. FIG. 12 is a flow diagram that illustratesexemplary operations performed by a key server in response to receivingan encrypted premaster secret, a ClientHello.random value, and aServerHello.random value from a secure session server according to oneembodiment.

At operation 1210, the key server receives an encrypted premastersecret, a ClientHello.random value, and a ServerHello.random value fromthe secure session server. For example, the key server receives theencrypted premaster secret, ClientHello.random value, andServerHello.random value transmitted by the secure session server inoperation 1125 of FIG. 11.

Flow then moves to operation 1215 where the key server accesses aprivate key that corresponds with the public key that was used toencrypt the premaster secret. The key server may receive from the securesession server an indication of the domain or zone name in which theclient device is attempting to establish a secure session for. Thisindication may be transmitted in a number of different ways including ina header, a custom binary structure, or a serialization format (e.g.,protobuf, JavaScript Object Notation (JSON), etc.). The key server usesthis indication to access the private key that corresponds with thepublic key that encrypted the premaster secret.

Flow then moves to operation 1220 where the key server decrypts theencrypted premaster secret using the accessed private key. Flow thenmoves to operation 1225 where the key server generates a master secretusing the decrypted premaster secret, the ClientHello.random value, andthe ServerHello.random value. By way of example, the master secret iscalculated using a pseudorandom function that takes as input at leastthe premaster secret, the ClientHello.random value, and theServerHello.random value. The client device will use the samepseudorandom function over the same input to compute the same mastersecret.

Flow then moves to operation 1230 where the key server transmits thegenerated master secret to the secure session server. The transmissionof the master secret to the secure session server may be over a securesession between the secure session server and the key server and/or mayitself be encrypted in a way that can be decrypted by the secure sessionserver. If the transmission is over a secure session between the keyserver and the secure session server, as part of establishing thatsecure session the key server may request a client certificate from thesecure session server in order to authenticate the identity of thesecure session server. In some embodiments, the key server may use IPaddress based blocking to verify that the key server is communicatingwith a legitimate secure session server (e.g., by verifying that thesecure session server is communicating with an IP address having a valuethat is expected by the key server). In some embodiments, the connectionbetween the key server and the secure session server is a VPNconnection. In some embodiments, the messages transmitted by the securesession server to the key server are signed with a private key that isknown only to the secure session server. In such embodiments, the keyserver verifies the validity of the signature of a message prior toacting on that message. In some embodiments, any combination of thesesecurity techniques may be used.

Referring back to FIG. 11, at operation 1130, the secure session serverreceives the master secret from the key server. In one embodiment, themaster secret is transmitted to the key server over a secure connection(e.g., encrypted using SSL or TLS) and/or is otherwise encrypted suchthat the secure session server is able to decrypt the message containingthe master secret. Flow moves from operation 1130 to operation 1135.

After receiving the master secret from the key server, the securesession server can proceed with the secure session handshake with theclient device and establish the secure session. At operation 1135, thesecure session server uses the master secret to generate a set ofsession keys to be used in the secure session when encrypting anddecrypting information. By way of a specific example, the master secretis used to generate a client write Message Authentication Code (MAC)key, a server write MAC key, a client write encryption key, and a serverwrite encryption key. A client write Initialization Vector (IV) and aserver write IV may also be generated depending on the cipher used.

Flow moves from operation 1135 to operation 1140 where the securesession server completes the handshake with the client device andestablishes a secure session with the client device. For example, theclient device and secure session server each may transmit a ChangeCipher Spec message and a Finished message, as previously describedherein. While the secure session is in operation, the client device andsecure session server may exchange data securely.

While FIGS. 10, 11, and 12 were described with respect to the key servertransmitting the master secret to the secure session server where thesecure session server generates the session keys used in the securesession, in other embodiments the key server also generates the sessionkeys and transmits the session keys to the secure session server. FIG.13 illustrates exemplary messages for establishing a secure sessionusing public-key cryptography between a client device 1310 and a securesession server 1320 where the secure session server 1320 does not haveaccess to the private key used during the secure session handshakeaccording to another embodiment. The embodiment described with referenceto FIG. 13 is similar to the embodiment described with reference to FIG.10 with a difference that the key server 1330 generates and transmitsthe session keys to the secure session server 1320 that are to be usedin the secure session between the client device 1310 and the securesession server 1320. For example, the secure session server 1320transmits the necessary information to generate the session keys to thekey server 1330 in addition to the encrypted premaster secret.

The client device 1310 (including the client network application 1315)is similar to the client device 110 of FIG. 1. The secure session server1320, including the secure session module 1340 and the certificate(s)1345, are similar to the secure session server 120 (including the securesession module 140 and the certificate(s) 145), but perform differentoperations as will be described below. The key server 1330 is similar tothe key server 130 of FIG. 1, but performs different operations as willbe described below.

At operation 13.1, the client device 1310 transmits a Client Hellomessage to the secure session server 1320. This Client Hello message issimilar to the Client Hello message described in operation 1.1 of FIG. 1and transmitted to the secure session server 1320 for similar reasons.The Client Hello message includes, among other data, aClientHello.random value.

In response to the Client Hello message, at operation 13.2 the securesession server 1320 transmits a Server Hello message to the clientdevice 1310. This Server Hello message is similar to the Server Hellomessage described in operation 1.2 of FIG. 1. The Server Hello messageincludes, among other data, a ServerHello.random value.

The secure session server 1320 also transmits a Certificate message tothe client device 1310 at operation 13.3 (a server Certificate). ThisCertificate message is similar to the Certificate message described inoperation 1.3 of FIG. 1. The Certificate message includes a digitalcertificate for the requested domain. For example, if the requesteddomain is example.com, the Certificate message includes a digitalcertificate bound to example.com. The digital certificate includes,among other things, a public key. The secure session server 1320 doesnot store the private key that corresponds with the public key includedin the certificate.

At operation 13.4, the secure session server 1320 transmits a ServerHello Done message to the client device 1310 that indicates that thehello-message phase of the handshake 1370 is complete.

At operation 13.5, the client device 1310 transmits a Client KeyExchange message to the secure session server 1320. The Client KeyExchange message includes a random value called a premaster secret thathas been encrypted using the public key included in the Certificatemessage of operation 13.3. By way of a specific example, if the RSAalgorithm is being used for key agreement and authentication, the clientdevice 1310 generates a 48-byte value for the premaster secret andencrypts it using the public key from the server's certificate andtransmits the encrypted premaster secret to the secure session server1320. As will be described below, the decrypted premaster secret is usedto generate a master secret that is used when generating the encryptionand decryption keys used to encrypt and decrypt data transmitted duringthe secure session. It should be understood that if the encryptedpremaster secret cannot be decrypted, then the handshake will fail andthe secure session will not be established.

The secure session server 1320 does not have the private key to decryptthe premaster secret. However, the private key is stored on the keyserver 1330 (as one of the private key(s) 1350). Although FIG. 13illustrates the key server 1330 storing the private keys, in otherembodiments the key server 1330 has access to the private keys but thoseprivate keys are stored on a different device.

At operation 13.6, the secure session server 1320 transmits to the keyserver 1330 the necessary information to generate the session keys to beused in the secure session. For example, this information may includethe encrypted premaster secret (which the key server 1330 decrypts usingthe private key 1350 which is then used to generate the master secret),the ClientHello.random value, the ServerHello.random value, and anindication of the negotiated cipher suite (e.g., the information mayspecify the negotiated cipher suite that defines the cipherspecification (the key server may look up the parameters of the cipherspecification) or may specify parameters of the negotiated cipher suitefor generating the session keys including information identifying thepseudorandom function (PRF) algorithm, encrypted key length, fixed IVlength, and MAC key length) if they are not already transmitted to thekey server 1330. The key server 1330 decrypts the encrypted premastersecret using the appropriate private key for the requested domain. Thekey server 1330 uses the decrypted premaster secret to calculate themaster secret. The client device 1310 and the key server 1330 use thesame algorithm and data to calculate the same master secret. By way ofexample, the master secret is calculated using a pseudorandom functionthat takes as input the premaster secret, the ClientHello.random value,and the ServerHello.random value.

After generating the master secret, the key server 1330 uses the mastersecret and the information sent in operation 13.6 to generate sessionkeys that are used to encrypt and decrypt information during the securesession. By way of a specific example, a client write MessageAuthentication Code (MAC) key, a server write MAC key, a client writeencryption key, and a server write encryption key is generated. A clientwrite Initialization Vector (IV) and a server write IV may also begenerated depending on the cipher used.

After generating the session keys, the key server 1330 transmits thesession keys to the secure session server 1320 at operation 13.7. In oneembodiment, the messages of operations 13.6 and 13.7 are transmittedover a secure connection 1355 (e.g., encrypted using SSL or TLS, orother mechanisms) and/or the data itself is otherwise encrypted.

In one embodiment, the key server 1330 stores or has access to privatekeys for multiple domains and/or zones, which may be owned or controlledby different entities. For example, the key server 1330 may store orhave access to the private key for example.com and example2.com, whichmay be owned or controlled by different entities. In such an embodiment,in conjunction with transmitting the information necessary to generatethe session keys to the key server 1330, the secure session server 1320indicates the domain or zone in which the client device 1310 isrequesting a connection. For example, if the client device 1310 isrequesting a secure session with example.com, then the secure sessionserver 1320 indicates to the key server 1330 that example.com is therequested domain. The client device 1310 may specify the destinationdomain using the Server Name Indication (SNI) extension in the ClientHello message. SNI is described in RFC 3546, June 2003. If thedestination is not specified by the client device 1310 (e.g., the clientdevice 1310 does not support SNI), then the secure session server 1320matches the destination IP address of the client-hello message sent bythe client device 1310 with the corresponding hostname (e.g., the securesession server 1320 may include a mapping of IP addresses andhostnames). The secure session server 1320 may transmit the indicationof the domain or zone name to the key server 1330 in a number ofdifferent ways including in a header, a custom binary structure, or aserialization format (e.g., protobuf, JavaScript Object Notation (JSON),etc.). After receiving the indication of the domain or zone name inwhich the client is attempting to connect, the key server 1330 accessesthe corresponding private key. In another embodiment, a certificatefingerprint or a hash of the modulus (for RSA) may be used to identifythe corresponding private key. For example, the secure session server1320 may generate a fingerprint over the certificate included in theCertificate message of operation 13.3 (e.g., a hash may be generatedover the certificate) and transmit that fingerprint value to the keyserver 1330. The key server 1330 uses the same fingerprint algorithm togenerate a fingerprint over its digital certificates and matches each tothe corresponding private key. Upon receiving the fingerprint value fromthe secure session server 1320, the key server 1330 matches thatfingerprint value with one of the fingerprint values it generated overthe public certificate (the same public certificate included in theCertificate message of operation 13.3) to lookup the correspondingprivate key. As another example, the secure session server 1320 may hashthe modulus of the public key included in the certificate of theCertificate message of operation 13.3 and transmit that hash value tothe key server 1330. The key server 1330 uses the same hash algorithm togenerate a hash value over the modulus over its stored public keys andmatches each to the corresponding private key. Upon receiving the hashvalue from the secure session server 1320, the key server 1330 matchesthat hash value with one of the hash values it generated to lookup thecorresponding private key.

At operation 13.8, the client device 1310 transmits a Change Cipher Specmessage to the secure session server 1320. The Change Cipher Specmessage from the client device 1310 indicates that future messagestransmitted by the client device 1310 will be encrypted. At operation13.9, the client device 1310 transmits a Finished message to the securesession server 1320. The Finished message is encrypted using thegenerated session keys. By way of example, the Finished message includesan encrypted hash of all of the messages in the handshake 1370previously sent and received.

In one embodiment the secure session server 1320 uses the information inthe Finished message to verify that the key exchange was successful. Inone embodiment, verifying that the key exchange was successful includesusing a pseudorandom function that includes as its input the mastersecret. In such an embodiment, the secure session server 1320 mayreceive the master secret from the key server 1330. For example,verifying that the key exchange was successful may include the securesession server 1320 calculating a value using a pseudorandom functionthat takes as input the master secret, a finished label (e.g., a clientfinished label), and a hash of all of the messages in the handshake 1370previously sent to the client device 1310 and received from the clientdevice 1310 (e.g., the Client Hello message of operation 13.1, theServer Hello message of operation 13.2, the Certificate message ofoperation 13.3, the Server Hello Done message of operation 13.4, theClient Key Exchange message of operation 13.5, and the Change CipherSpec message of operation 13.8). That calculated value is compared withthe value received in the Finished message (the values should be thesame if the key exchange was successful). It should be understood thatif the verification fails, the handshake 1370 does not continue. Inorder to generate the hash of the messages in the handshake 1370, thesecure session server 1320 may cache the messages that it receives fromthe client device 1310 and sends to the client device 1310 such that itmay generate the hash for the comparison. Alternatively the securesession server 1320 may use incremental hashing and update the hashvalue upon receiving each message from the client device 1310 andtransmitting each message to the client device 1310.

In an alternative embodiment where the key server 1330 does not transmitthe master secret to the secure session server 1320, the secure sessionserver 1320 transmits the value included in the Finished messagereceived in operation 13.9 or the Finished message itself to the keyserver 1330 for verifying that the key exchange was successful. Thesecure session server 1320 may also generate the hash value and transmitit to the key server 1330 for use in the verification. In such anembodiment, the key server 1330 responds to the secure session server1320 whether the key exchange was verified as successful. It should beunderstood that if the key exchange is not verified, the handshake willnot continue.

At operation 13.10, the secure session server 1320 transmits a ChangeCipher Spec message to the client device 1310 that indicates that futuremessages transmitted by the secure session server 1320 will beencrypted. At operation 13.11, the secure session server 1320 transmitsa Finished message to the client device 1310. The Finished message mayinclude an encrypted hash of all of the messages in the handshake 1370previously sent and received and is used by the client device 1310 toverify that the key exchange was successful. In one embodiment theFinished message includes a value calculated using a pseudorandomfunction that takes as input the master secret, a finished label (e.g.,a server finished label), and a hash of all of the messages in thehandshake 1370 previously received from the client device 1310 and sentto the client device 1310 (e.g., the Client Hello message of operation13.1, the Server Hello message of operation 13.2, the Certificatemessage of operation 13.3, the Server Hello Done message of operation13.4, the Client Key Exchange message of operation 13.5, the ChangeCipher Spec message of operation 13.8, the Finished message of operation13.9, and the Change Cipher Spec message of operation 13.10). In such anembodiment, the secure session server 1320 may receive the master secretfrom the key server 1330. In order to generate the hash of the messagesin the handshake 1370, the secure session server 1320 may cache themessages that it receives from the client device 1310 and sends to theclient device 1310 such that it may generate the hash for thecomparison. Alternatively the secure session server 1320 may useincremental hashing and update the hash value upon receiving eachmessage from the client device 1310 and transmitting each message to theclient device 1310.

In an alternative embodiment, the secure session server 1320 transmits arequest to the key server 1330 to generate the value to be included inthe Finished message or to generate the entire Finished message thatwill be transmitted to the client device 1310. The secure session server1320 may also generate the hash value and transmit it to the key server1330 for use in generating the value included in the Finished message.In such an embodiment, the key server 1330 responds to the securesession server 1320 with either the generated value to be included inthe Finished message or the generated Finished message that includes thegenerated value.

After the Finished message of operation 13.11, the handshake 1370 iscomplete and the secure session 1360 is considered to be established. Atoperation 13.12, future messages of the secure session between theclient device 1310 and secure session server 1320 are encrypted over thesecure session 1360, which carry the application data of the connection.

As described above, the connection between the secure session server1320 and the key server 1330 may be a secure connection for securelytransmitting the information necessary to generate the session keys andthe generated session keys. As described above, a secure session (e.g.,SSL or TLS) may be established between the secure session server 1320and the key server 1330. As part of establishing the secure session, thekey server 1330 may request a client certificate from the secure sessionserver 1320 and the secure session server 1320 may transmit a clientCertificate message that includes its certificate to the key server1330. The data in the client Certificate message is used by the keyserver 1330 to authenticate the identity of the secure session server1320.

In some embodiments, the key server 1330 may use IP address blocking toaccept connections (such as from the secure session server 1320) fromonly certain IP addresses. For example, the key server 1330 may have awhitelist of IP address(es) and/or IP address range(s) that are allowedto connect to the key server 1330 or have a blacklist of IP address(es)and/or IP address range(s) that are not allowed to connect to the keyserver 1330. IP address blocking may also be used at one or moreintermediary network devices between the secure session server 1320 andthe key server 1330.

Although a secure session has been described between the secure sessionserver 1320 and the key server 1330 that is initiated by the securesession server 1320, in other embodiments the secure session can beinitiated by the key server 1330.

In some embodiments, the messages transmitted by the secure sessionserver 1320 to the key server 1330 are signed with a private key that isknown only to the secure session server 1320. In such embodiments, thekey server 1330 verifies the validity of the signature of a messageprior to acting on that message. By way of example, the message thatincludes the information necessary to generate the session keys atoperation 13.6 may be signed with a private key known only to the securesession server 1320. The key server 1330 verifies whether the signatureis valid using the corresponding public key and will only continue withthe operations if the signature is valid.

A combination of the security techniques described may be used toprovide security for the generation of the session keys. For example, acombination of requiring a client Certificate, IP address blocking, andsigning the messages transmitted by the secure session server with aprivate key known only to the secure session server may be used toprovide security for the connection between the secure session server1320 and the key server 1330.

In one embodiment, the secure connection 1355 between the secure sessionserver 1320 and the key server 1330 may be a Virtual Private Network(VPN) connection, which may be desirable in a firewalled environment.

In some embodiments the key server 1330 may transmit the master secretit generated to the secure session server 1320. The master secret may beused by the secure session server 1320 to support resuming sessions.Sessions may be resumed using a stateful session resumption or using astateless session resumption. Stateful session resumption includesstoring session state on the server (e.g., the master secret and thecipher suite). Stateless session resumption includes storing sessionstate (e.g., the master secret and the cipher suite) in a ticket(encrypted with a key not known to the client) that is presented to theclient and returned by the client when requesting session resumption.For example, when a connection is established by resuming a session(e.g., the client device 1310 transmits a ClientHello message with asession ID of a session that is capable of being resumed), newClientHello.random and ServerHello.random values are generated andhashed with the master secret of the established session. If the mastersecret is not transmitted to the secure session server 1320, the securesession server 1320 may request the key server 1330 to hash the newClientHello.random and ServerHello.random values with the master secretand provide the result to the secure session server 1320.

For example, the operations 13.13 through 13.21 illustrate resuming asession according to one embodiment. Prior to operation 13.13, thesecure session 1360 between the client device 1310 and the securesession server 1320 has been closed. At some point later, at operation13.13, the secure session server 1320 receives a Client Hello messagefrom the client device 1310. This Client Hello message differs from theClient Hello message of operation 13.1 in that it effectively includes arequest to resume the session. This Client Hello message may include asession ID that was set for a previously established secure session(e.g., the secure session 1360). The Client Hello message of operation13.13 includes a different random value than the Client Hello message ofoperation 13.1 (a different ClientHello.random value).

Embodiments may support the use of stateful session resumption and/orstateless session resumption. In the case of stateless sessionresumption, encrypted session state information is transmitted to theclient device 1310 in the form of a ticket that the client may presentback to the secure session server 1320 when requesting resumption of asession. The ticket includes session state (e.g., the cipher suite andthe master secret) and is encrypted with a key that is not known by theclient device 1310 (e.g., it may be encrypted with a key that is knownonly to the key server 1330 and/or to the secure session server 1320).The client device 1310 can request a session be resumed using theticket. In some embodiments the ticket is generated by the key server1330 whereas in other embodiments the ticket is generated by the securesession server 1320. An exemplary format of the ticket may be defined inaccordance with RFC 5077, “Transport Layer Security (TLS) SessionResumption without Server-Side State”, January 2008. If the securesession server 1320 is generating the ticket, then the key server 1330transmits the master secret to the secure session server 1320. If thekey server 1330 is generating the ticket, the secure session server 1320may transmit a request to the key server 1330 to generate the ticketonly when the client device 1310 indicates that it supports thisextension, where this request may be transmitted to the key server 1330after the Finished message transmitted by the client device 1310 hasbeen successfully verified. The key server 1330 receives the request togenerate the ticket, generates the ticket (encrypting it with a key thatis known only to the key server 1330 for example), and transmits theticket to the secure session server 1320. The secure session server 1320transmits the ticket to the client device 1310 before the Change CipherSpec message of operation 13.10 and after the Finished message of theclient device 1310 has been verified. In such embodiments, the ClientHello message of operation 13.13 includes the ticket (e.g., in aSessionTicket extension as defined in RFC 5077).

At operation 13.14 the secure session server 1320 transmits a request tothe key server 1330 to generate session keys for resuming the session.As part of this request, the secure session server 1320 transmits theClientHello.random value included in the Client Hello message ofoperation 13.13, a new ServerHello.random value to the key server 1330(this ServerHello.random value is different than the ServerHello.randomvalue used in the secure session 1360). If the Client Hello message ofoperation 13.13 includes a ticket for resuming the session that wascreated by the key server 1330 and encrypted with a key known only tothe key server 1330, then secure session server 1420 also transmits theticket to the key server 1330 for resuming the session (which may be inthe request of operation 13.14). The secure session server 1320 may alsotransmit the session identifier included in the Client Hello message ofoperation 13.13 (if non-empty) to the key server 1330. In oneembodiment, instead of the secure session server 1320 generating andtransmitting a new ServerHello.random value to the key server 1330, thekey server 1330 generates the new ServerHello.random value.

Assuming that the session can be resumed (e.g., a valid ticket wasincluded in the Client Hello message of operation 13.13 or the sessionidentifier included in the Client Hello message of operation 13.13matches session information in the key server 1330 and the key server1330 is willing to re-establish the connection under the specifiedsession state), the key server 1330 generates the session keys for theresumed session (which will be different than the session keys used forthe secure session 1360) using the existing master secret generated forthe secure session 1360 and the new ClientHello.random andServerHello.random values (along with other security parameters thathave been previously negotiated). The key server 1330 may retrieve thesession state (e.g., the master secret and cipher suite) from thecontents of the ticket (if included in the Client Hello message ofoperation 13.13) for stateless session resumption or through its sessioncache if resuming under stateful session resumption. The session keysmay include a client write MAC key, a server write MAC key, a clientwrite encryption key, and a server write encryption key. A client writeIV and a server write IV may also be generated depending on the cipherused. The key server 1330 transmits the session keys to the securesession server 1320 at operation 13.15.

In one embodiment, the messages of operations 13.14 and 13.15 aretransmitted over a secure connection 1355 (e.g., encrypted using SSL orTLS, or other mechanisms) and/or the data itself is otherwise encrypted.The secure connection used between the secure session server 1320 andthe key server 1330 may be a persistent connection or it may be a newsecure session (e.g., different than the secure connection 1355).

At operation 13.16, the secure session server 1320 transmits a ServerHello message to the client device 1310. This Server Hello messageincludes a new ServerHello.random value. At operation 13.17, the securesession server 1320 transmits a Change Cipher Spec message to the clientdevice 1310 that indicates that future messages transmitted by thesecure session server 1320 will be encrypted using the newly negotiatedkeys. At operation 13.18, the secure session server 1320 transmits aFinished message to the client device 1310. The Finished message mayinclude an encrypted hash of all of the messages in the handshake 1375previously sent and received and is used by the client device 1310 toverify that the key exchange was successful. In one embodiment theFinished message includes a value calculated using a pseudorandomfunction that takes as input the master secret, a finished label (e.g.,a server finished label), and a hash of all of the messages in thehandshake 1375 previously received from the client device 1310 and sentto the client device 1310 for this handshake 1375 (e.g., the ClientHello message of operation 13.13, the Server Hello message of operation13.16, and the Change Cipher Spec message of operation 13.17).

At operation 13.19, the client device 1310 transmits a Change CipherSpec message to the secure session server 1320. The Change Cipher Specmessage from the client device 1310 indicates that future messagestransmitted by the client device 1310 will be encrypted using the newlynegotiated keys. At operation 13.20, the client device 1310 transmits aFinished message to the secure session server 1320. The Finished messageis encrypted using the generated session keys. By way of example, theFinished message includes an encrypted hash of all of the messages inthis handshake 1375 previously sent and received.

The information in the Finished message of operation 13.20 is verifiedto determine whether the key exchange was successful. As described abovewith respect to verifying the information in the Finished message ofoperation 13.9, in some embodiments the secure session server 1320verifies the Finished message and in other embodiments the securesession server 1320 transmits the value included in the Finished messageor the Finished message itself to the key server 1330 for verifyingwhether the key exchange was successful.

After the Finished message of operation 13.20 has been verified, thehandshake 1375 is complete and the secure session 1365 is considered tobe established. At operation 13.21, future messages of the securesession between the client device 1310 and secure session server 1320are encrypted over the secure session 1360, which carry the applicationdata of the connection.

While FIG. 13 illustrates an exemplary order of messages beingtransmitted between the client device 1310, the secure session server1320, and the key server 1330, certain messages may be transmitted in adifferent order in some embodiments. For example, the informationtransmitted to the key server 1330 in operation 13.6 may be transmittedafter receiving the Change Cipher Spec message of operation 13.8 orafter receiving the Finished message of operation 13.9. As anotherexample, the message in operation 13.14 may be transmitted after theServer Hello message of operation 13.16 or the Change Cipher Specmessage of operation 13.17. As yet another example, the session keystransmitted in operation 13.15 may be transmitted after the Server Hellomessage of operation 13.16 or the Change Cipher Spec message ofoperation 13.17.

In embodiments where a ticket is used for resuming a session aspreviously described, the key server 1330 may also renew the ticket bytransmitting a message (e.g., a NewSessionTicket message) to the securesession server 1320 which may transmit the message to the client device1310 after the Server Hello message of operation 13.16.

Although FIG. 13 illustrates the key server 1330 generating the sessionkeys after receiving a request to resume the session, in one embodimentthe secure session server 1320 generates the session keys afterreceiving a request to resume the session. For example, in an embodimentwhere the key server 1330 generates a ticket that includes the sessionstate (e.g., the master key and the cipher suite) that is encrypted witha key that is not known or shared with the client device 1310, the keyserver 1330 may transmit the key to decrypt the ticket to the securesession server 1320. Accordingly, upon receiving a request to resume asession from the client device 1310 that includes a session resumptionticket, the secure session server 1320 may decrypt the ticket with thekey received from the key server 1330, retrieve the session state fromthe contents of the ticket, and generate the session keys using theretrieved session state. Alternatively, the key server 1330 may generatea ticket that includes the session state (e.g., the master key and thecipher suite) that is encrypted with a key that is not known or sharedwith the client device 1310 or the secure session server 1320, whereupon receiving a request to resume a session from the client device 1310that includes a session resumption ticket, the secure session server1320 may transmit the encrypted ticket to the key server 1330, whichthen decrypts the ticket, and transmits the decrypted information backto the secure session server 1320. The secure session server 1320 thenuses the session state included in the decrypted information to generatethe session keys. As another alternative, the key server 1330 maygenerate a ticket and transmit that ticket to the secure session server1320 in unencrypted form where prior to transmitting the ticket to theclient device 1310, the secure session server 1320 encrypts the ticketusing a key known only to the secure session server 1320. Upon receivinga request to resume a session from the client device 1310 that includesa session resumption ticket, the secure session server 1320 may decryptthe ticket with appropriate key, retrieve the session state from thecontents of the ticket, and generate the session keys using theretrieved session state.

As another example, the key server 1330 may transmit the master secretto the secure session server 1320 such that secure session server 1320may use either stateful session resumption or stateless sessionresumption without requiring further interaction with the key server1330. For example in the case of stateful session resumption, the securesession server 1320 may receive the master secret from the key server1330 and store it in association with other session state parameters inits session cache (e.g., the cipher suite). Upon receiving a request toresume a session from a client that includes a session identifier of thesession to be resumed, the secure session server 1320 checks its sessioncache for a matching identifier and if found and the secure sessionserver 1320 is willing to re-establish the connection (the securesession server 1320 may deny the request to resume a session for avariety of reasons including if a lifetime of the session identifier hasbeen reached), the secure session server 1320 will use that storedsession state to generate new session keys for the resumed session. Inthe case of stateless session resumption, the secure session server 1320may receive the master secret from the key server 1330 and generate andencrypt the ticket that includes the session state information(encrypted with a ticket that may be only known to the secure sessionserver 1320). The secure session server 1320 will provide the ticket tothe client device 1310 (e.g., before the Change Cipher Spec message ofoperation 13.10 and after the Finished message of the client device 1310has been verified). Upon receiving a request to resume a session fromthe client device 1310 that includes a session resumption ticket, thesecure session server 1320 may decrypt the ticket, retrieve the sessionstate from the contents of the ticket, and generate the session keysusing the retrieved session state.

FIG. 14 is a flow diagram that illustrates exemplary operationsperformed on a secure session server for establishing a secure sessionimplemented with public-key cryptography between a client device and asecure session server where the secure session server does not haveaccess to a private key for the requested domain according to anotherembodiment. The private key is stored remotely from the secure sessionserver (e.g., on a key server). The embodiment described with referenceto FIG. 14 is similar to the embodiment described with reference to FIG.2 with the exception that in addition to transmitting the encryptedpremaster secret to the key server, the secure session server alsotransmits the necessary information for the key server to generate thesession keys that will be used in the secure session between the clientdevice and the secure session server.

At operation 1410, the secure session server receives a message from theclient device that initiates a procedure to establish a secure sessionwith the client device. For example, the secure session server mayreceive a Client Hello message from the client device (e.g., an SSL orTLS Client Hello message). Depending on the protocol and capabilities ofthe client device, the message may indicate the destination host name inwhich the client device wishes to establish a secure session (e.g., theClient Hello message may include the Server Name Indication (SNI)extension and specify the destination host name). The message may alsoinclude random data used for cryptographic purposes (sometimes referredto as ClientHello.random), and may indicate whether and what type ofextensions (defined by the protocol) the client supports.

In response to receiving the message in operation 1410, the securesession server may perform a number of operations, includingtransmitting a digital certificate to the client device at operation1415. The digital certificate includes a public key for the requesteddomain. It should be understood that the private key that corresponds tothe public key is not stored on the secure session server (e.g., it isstored remotely on a key server). The digital certificate may betransmitted in an SSL or TLS Certificate message. Prior to transmittingthe digital certificate, the secure session server may perform a numberof other operations including transmitting a Server Hello message to theclient device which includes random data used for cryptographic purposesthat is different than the random data included in the ClientHellomessage (sometimes referred to as ServerHello.random) and may include alist of the extensions that the secure session server supports.

If the message in operation 1410 indicates the destination domain, thesecure session server transmits the digital certificate bound to thatdestination domain. If the message in operation 1410 does not indicatethe destination host name, the secure session server transmits thedigital certificate that is associated with the destination IP addressof the message in operation 1410, which is bound to the requesteddomain. Flow moves from operation 1415 to operation 1420.

At operation 1420, the secure session server receives from the clientdevice a premaster secret that has been encrypted using the public keyin the digital certificate transmitted in operation 1415. The encryptedpremaster secret may be sent by the client device in a SSL or TLS ClientKey Exchange message. Flow moves from operation 1420 to operation 1425.

The secure session server does not have the private key that correspondswith the public key that encrypted the premaster secret. As a result,the secure session server cannot decrypt the encrypted premaster secretto obtain the premaster secret. At operation 1425, the secure sessionserver transmits the encrypted premaster secret and the otherinformation necessary to generate the session keys that are used toencrypt and decrypt information in the secure session between the clientdevice and the secure session server. For example, the informationtransmitted to the key server may include the encrypted premaster secret(which the key server decrypts using the corresponding private key whichis then used to generate the master secret), the ClientHello.randomvalue, the ServerHello.random value, and an indication of the negotiatedcipher suite (e.g., the information may specify the negotiated ciphersuite that defines the cipher specification (the key server may look upthe parameters of the cipher specification) or may specify parameters ofthe negotiated cipher suite for generating the session keys includinginformation identifying the pseudorandom function (PRF) algorithm,encrypted key length, fixed IV length, and MAC key length) if they arenot already transmitted to the key server.

In one embodiment, the key server is located remotely from the securesession server. Moreover, in some embodiments, the secure session serverand the key server may be owned and/or operated by different entities.For example, the secure session server may not be under physical controlof the owner of the requested domain while the key server is underphysical control of the owner of the requested domain. In oneembodiment, the encrypted premaster secret and the other informationnecessary to generate the session keys are transmitted to the key serverover a secure connection (e.g., encrypted using SSL or TLS) and/or isotherwise encrypted. Flow moves from operation 1425 to operation 1430.

In response to receiving the encrypted premaster secret and the otherinformation necessary to generate the session keys, the key serverdecrypts the encrypted premaster secret to obtain the premaster secretusing the appropriate private key, generates the master secret using thepremaster secret, the ClientHello.random value, and theServerHello.random value, and generates the session keys. FIG. 15 is aflow diagram that illustrates exemplary operations performed by a keyserver in response to receiving an encrypted premaster secret and otherinformation to generate a set of session keys for a secure sessionbetween a client device and a secure session server according to oneembodiment.

At operation 1510, the key server receives an encrypted premaster secretand other information necessary to generate a set of session keys usedfor encrypting and decrypting communication between a client device anda secure session server. For example, the information may include theClientHello.random value, the ServerHello.random value and an indicationof the negotiated cipher suite (e.g., the information may specify thenegotiated cipher suite that defines the cipher specification (the keyserver may look up the parameters of the cipher specification) or mayspecify parameters of the negotiated cipher suite for generating thesession keys including information identifying the pseudorandom function(PRF) algorithm, encrypted key length, fixed IV length, and MAC keylength).

Flow then moves to operation 1515 where the key server accesses aprivate key that corresponds with the public key that was used toencrypt the premaster secret. The key server may receive from the securesession server an indication of the domain or zone name in which theclient device is attempting to establish a secure session for. Thisindication may be transmitted in a number of different ways including ina header, a custom binary structure, or a serialization format (e.g.,protobuf, JavaScript Object Notation (JSON), etc.). The key server usesthis indication to access the private key that corresponds with thepublic key that encrypted the premaster secret.

Flow then moves to operation 1520 where the key server decrypts theencrypted premaster secret using the accessed private key. Flow thenmoves to operation 1525 where the key server generates a master secretusing the decrypted premaster secret, the ClientHello.random value, andthe ServerHello.random value. By way of example, the master secret iscalculated using a pseudorandom function that takes as input at leastthe premaster secret, the ClientHello.random value, and theServerHello.random value. The client device will use the samepseudorandom function over the same input to compute the same mastersecret.

Flow then moves to operation 1530 where the key server generates a setof session keys to be used in the secure session for encrypting anddecrypting communication between the client device and the securesession server. By way of a specific example, the master secret andother required information (e.g., received in operation 1510) is used togenerate a client write Message Authentication Code (MAC) key, a serverwrite MAC key, a client write encryption key, and a server writeencryption key. A client write Initialization Vector (IV) and a serverwrite IV may also be generated depending on the cipher used.

Flow then moves to operation 1535 where the key server transmits thegenerated session keys to the secure session server. The transmission ofthe session keys to the secure session server may be over a securesession between the secure session server and the key server and/or thesession keys may be encrypted in a way that they can be decrypted by thesecure session server. If the transmission is over a secure sessionbetween the key server and the secure session server, as part ofestablishing that secure session the key server may request a clientcertificate from the secure session server in order to authenticate theidentity of the secure session server. In some embodiments, the keyserver may use IP address based blocking to verify that the key serveris communicating with a legitimate secure session server (e.g., byverifying that the secure session server is communicating with an IPaddress having a value that is expected by the key server). In someembodiments, the connection between the key server and the securesession server is a VPN connection. In some embodiments, the messagestransmitted by the secure session server to the key server are signedwith a private key that is known only to the secure session server. Insuch embodiments, the key server verifies the validity of the signatureof a message prior to acting on that message. In some embodiments, anycombination of these security techniques may be used.

Referring back to FIG. 14, at operation 1430, the secure session serverreceives the session keys from the key server. In one embodiment, thesession keys are transmitted to the key server over a secure connection(e.g., encrypted using SSL or TLS) and/or is otherwise encrypted suchthat the secure session server is able to decrypt the session keys. Flowmoves from operation 1430 to operation 1435 where the secure sessionserver completes the handshake with the client device and establishes asecure session with the client device. For example, the client deviceand secure session server each may transmit a Change Cipher Spec messageand a Finished message, as previously described herein. While the securesession is in operation, the client device and secure session server mayexchange data securely.

In addition to transmitting the session keys to the secure sessionserver, the key server may also transmit the generated master secret tothe secure session server. The generated master secret may be used whenverifying the information included in the Finished message received fromthe client and when generating the Finished message to transmit to theclient. In addition, the master secret may be used when resuming asession between the client device and the secure session server. Forexample, when a connection is established by resuming a session (e.g.,the client transmits a ClientHello message with a session ID of asession that is capable of being resumed or includes a sessionresumption ticket), new ClientHello.random and ServerHello.random valuesare generated and hashed with the master secret of the establishedsession. If the master secret is not transmitted to the secure sessionserver, the secure session server may request the key server to hash thenew ClientHello.random and ServerHello.random values with the mastersecret and provide the result to the secure session server to supportresumption of sessions.

If the master secret is not transmitted to the secure session server,the secure session server may transmit the value included in theFinished message received from the client device or the entire Finishedmessage to the key server to verify that the key exchange wassuccessful. The secure session server may generate the hash value andtransmit it to the key server for use in the verification. In such anembodiment, the key server responds to the secure session server whetherthe key exchange was verified as successful. It should be understoodthat if the key exchange is not verified, the handshake will notcontinue.

In an alternative embodiment, instead of generating the Finished message(e.g., if the secure session server does not have access to the mastersecret), the secure session server transmits a request to the key serverto generate the value to be included in the Finished message or togenerate the entire Finished message that will be transmitted to theclient device. The secure session server may also generate the hashvalue and transmit it to the key server for use in generating the valueincluded in the Finished message. In such an embodiment, the key serverresponds to the secure session server with either the generated value tobe included in the Finished message or the generated Finished messagethat includes the generated value.

In another embodiment, the secure session server proxies the messages ofthe handshake between the client device and the key server where the keyserver generates and transmits to the secure session server the set ofsession keys to be used during the secure session between the clientdevice and the secure session server. FIG. 16A illustrates exemplarymessages for establishing a secure session using public-key cryptographybetween a client device 1610 and a secure session server 1620 where thekey server 1630 generates and transmits to the secure session server1620 the session keys used for the secure session.

The client device 1610 (including the client network application 1615)is similar to the client device 110 of FIG. 1. The secure session server1620, including the secure session module 1640 and the optionalcertificate(s) 1645, are similar to the secure session server 120(including the secure session module 140 and the certificate(s) 145),but perform different operations as will be described below. The keyserver 1630 is similar to the key server 130 of FIG. 1, but performsdifferent operations as will be described below.

At operation 16.1, the client device 1610 transmits a Client Hellomessage to the secure session server 1620. This Client Hello message issimilar to the Client Hello message described in operation 1.1 of FIG. 1and transmitted to the secure session server 1620 for similar reasons.The Client Hello message includes, among other data, aClientHello.random value. The secure session server 1620 transmits theClient Hello message to the key server 1630 at operation 16.2. ThisClient Hello message is the same or substantially the same as the ClientHello message of operation 16.1.

In one embodiment, the secure session server 1620 may terminate securesession connections for multiple domains that are owned by differententities and the respective private keys for those domains are stored ondifferent key servers. By way of example and assuming that the domainexample.com and example2.com are owned by different entities, the securesession server 1620 may terminate secure session connections for thosedomains and a first key server may store or have access to the privatekey for example.com and a second key server may store or have access tothe private key for example2.com. If the secure session server 1620 issupporting multiple domains whose respective private keys are stored ondifferent key servers, the secure session server 1620 determines whichkey server to transmit the Client Hello message. If the client device1610 specifies the destination domain using the SNI extension in theClient Hello message, the secure session server 1620 uses thedestination domain to determine which key server the Client Hellomessage should be transmitted to. If the client device 1610 does notspecify the destination domain using the SNI extension, then the securesession server 1620 matches the destination IP address of the ClientHello message received form the client device 1610 with thecorresponding hostname to determine which key server to determine whichkey server the Client Hello message should be transmitted to (e.g., thesecure session server 1620 may include a mapping of IP addresses andhostnames). The secure session server 1620 may also transmit thedestination hostname to the key server 1630 (e.g., if the Client Hellomessage does not include the SNI extension).

In response to receiving the Client Hello message, at operation 16.3 thekey server 1630 transmits a Server Hello message to secure sessionserver 1620. The Server Hello message is similar to the Server Hellomessage described in operation 1.2 of FIG. 1. The Server Hello messageincludes, among other data, a ServerHello.random value. The securesession server 1620 transmits the Server Hello message to the clientdevice 1610 at operation 16.4.

The key server 1630 also transmits a Certificate message to the securesession server 1620 at operation 16.5 (a server Certificate). ThisCertificate message is similar to the Certificate message described inoperation 1.3 of FIG. 1. The Certificate message includes a digitalcertificate for the requested domain. For example, if the requesteddomain is example.com, the Certificate message includes a digitalcertificate bound to example.com. The digital certificate includes,among other things, a public key. The secure session server 1620 doesnot store the private key that corresponds with the public key includedin the certificate. The secure session server 1620 may also not storethe digital certificate bound to the requested domain. The securesession server 1620 transmits the Certificate message to the clientdevice 1610 at operation 166.

At operation 16.7, the key server 1630 transmits a Server Hello Donemessage to the secure session server 1620 that indicates that thehello-message phase of the handshake is complete. This Server Hello Donemessage is similar to the Server Hello Done message described inoperation 1.4 of FIG. 1. The secure session server 1620 transmits theServer Hello Done message to the client device 1610 at operation 16.8.

At operation 16.9, the client device 1610 transmits a Client KeyExchange message to the secure session server 1620. The Client KeyExchange message includes a premaster secret that has been encryptedusing the public key included in the Certificate message of operation16.6. By way of a specific example, if the RSA algorithm is being usedfor key agreement and authentication, the client device 1610 generates a48-byte value for the premaster secret and encrypts it using the publickey from the server's certificate and transmits the encrypted premastersecret to the secure session server 1620. The secure session server 1620does not have the private key to decrypt the premaster secret. However,the private key is stored on the key server 1630 (as one of the privatekey(s) 1650). Although FIG. 16A illustrates the key server 1630 storingthe private keys, in other embodiments the key server 1630 has access tothe private keys but those private keys are stored on a differentdevice. At operation 16.10, the secure session server 1620 transmits theClient Key Exchange message to the key server 1630.

The key server 1630 decrypts the encrypted premaster secret included inthe Client Key Exchange message using the appropriate private key forthe requested domain. Using the premaster secret, the key server 1630calculates the master secret. By way of example, the master secret iscalculated using a pseudorandom function that takes as input thepremaster secret, the ClientHello.random value, and theServerHello.random value. The client device 1610 also generates the samemaster secret. The master secret is used by the client device 1610 andthe key server 1630 to generate session keys that are used to encryptand decrypt information during the secure session. By way of a specificexample, the master secret is used to generate a client write MessageAuthentication Code (MAC) key, a server write MAC key, a client writeencryption key, and a server write encryption key. A client writeInitialization Vector (IV) and a server write IV may also be generateddepending on the cipher used.

At operation 16.11, the client device 1610 transmits a Change CipherSpec message to the secure session server 1620. The Change Cipher Specmessage from the client device 1610 indicates that future messagestransmitted by the client device 1610 will be encrypted. In oneembodiment, the secure session server 1620 transmits the Change CipherSpec message to the key server 1630 at operation 16.12. In anotherembodiment, the secure session server 1620 does not transmit the ChangeCipher Spec message to the key server 1630.

At operation 16.13, the client device 1610 transmits a Finished messageto the secure session server 1620. The Finished message is used toverify that the key exchange and authentication processes weresuccessful. The Finished message is encrypted using the generatedsession keys. By way of example, the Finished message includes anencrypted hash of all of the messages in the handshake previously sentto the client device 1610 and received from the client device 1610. Forexample, the message may include a value calculated using a pseudorandomfunction that takes as input the master secret, a finished label (e.g.,a client finished label), and a hash of all of the messages in thehandshake previously sent to the client device 1610 and received fromthe client device 1610. In one embodiment, the secure session server1620 transmits the Finished message to the key server 1630 at operation16.14.

In another embodiment, the secure session server 1620 does not transmitthe Finished message to the key server 1630. If the secure sessionserver 1620 does not transmit the Finished message to the key server1630, the secure session server 1620 will verify whether the keyexchange was successful. In one embodiment, verifying that the keyexchange was successful includes using a pseudorandom function thatincludes as its input the master secret. In such an embodiment, thesecure session server 1620 may receive the master secret from the keyserver 1630. For example, verifying that the key exchange was successfulmay include the secure session server 1620 calculating a value using thesame pseudorandom function that takes as input the master secret, afinished label (e.g., a client finished label), and a hash of all of themessages in the handshake previously sent to the client device 1610 andreceived from the client device 1610 (e.g., the Client Hello message ofoperation 16.1, the Server Hello message of operation 16.4, theCertificate message of operation 16.6, the Server Hello Done message ofoperation 16.8, the Client Key Exchange message of operation 16.9, andthe Change Cipher Spec message of operation 16.11). That calculatedvalue is compared with the value received in the Finished message (thevalues should be the same if the key exchange was successful). It shouldbe understood that if the verification fails, the handshake does notcontinue. In order to generate the hash of the messages in thehandshake, the secure session server 1620 may cache the messages that itreceives from the client device 1610 and transmits to the client device1610 such that it may generate the hash for the comparison.Alternatively the secure session server 1620 may use incremental hashingand update the hash value upon receiving each message from the clientdevice 1610 and transmitting each message to the client device 1610 forgenerating the hash.

At operation 16.15, the key server 1630 transmits a Change Cipher Specmessage to the secure session server 1620. At operation 16.16, thesecure session server 1620 transmits the Change Cipher Spec message tothe client device 1610.

At operation 16.17, the key server 1630 transmits a Finished message tothe secure session server 1620. The Finished message may include anencrypted hash of all of the messages in the handshake previously sentand received. For example, the message may include a value calculatedusing a pseudorandom function that takes as input the master secret, afinished label (e.g., a server finished label), and a hash of all of themessages in the handshake previously sent and received.

At operation 16.18, the key server 1630 transmits to the secure sessionserver 1620 the set of session keys that are used to encrypt and decryptmessages during the secure session between the client device 1610 andthe secure session server 1620. The session keys may include a clientwrite MAC key, a server write MAC key, a client write encryption key,and a server write encryption key. The session keys may also include aclient write IV and a server write IV depending on the cipher used.

The operation 16.18 (transmission of the session keys) may be performedat any time after receiving the Client Key Exchange message in operation16.10. For example, the key server 1630 may generate the session keysafter receiving the Client Key Exchange message in operation 16.10 priorto receiving the Change Cipher Spec message in operation 16.12 or theFinished message in operation 16.14, or prior to transmitting the ChangeCipher Spec message in operation 16.15 or the Finished message inoperation 16.17.

The session keys will be used by the secure session server 1620 whenencrypting and decrypting information sent between the client device1610 and the secure session server 1620. For example, the client writekey is used by the client device to encrypt data and used by the securesession server to decrypt data received from the client device, theclient write MAC key is used to authenticate data written by the clientdevice, the server write key is used by the secure session server toencrypt data and used by the client device to decrypt data received fromthe secure session server, and the server write MAC key is used toauthenticate data written by the secure session server.

At operation 16.19, the secure session server 1620 transmits theFinished message to the client device 1610. Thereafter, at operation16.20, future messages of the secure session between the client device1610 and secure session server 1620 are encrypted over the securesession 1660, which carry the application data of the connection.

In one embodiment, the messages transmitted between the secure sessionserver 1620 and the key server 1630 may be transmitted over a secureconnection (e.g., encrypted using SSL or TLS). The session keystransmitted to the secure session server 1620 may be encrypted in such away that the secure session server may decrypt them.

In one embodiment, the operations of 16.12, 16.14, 16.15, and 16.17 areoptional. For example, the secure session server 1620 may not forwardthe Change Cipher Spec message to the key server 1630. In order toperform the key exchange verification using the information included inthe Finished message of operation 16.13, the secure session server 1620may receive the master secret from the key server 1630 in addition tothe session keys. The secure session server 1620 may generate andtransmit a Change Cipher Spec message to the client device 1610 andgenerate and transmit a Finished message to the to the client device1610. Generating the Finished message may include calculating a valueusing a pseudorandom function that takes as input the master secret, afinished label (e.g., a server finished label), and a hash of all of themessages in the handshake previously sent to the client device 1610 andreceived from the client device 1610 (e.g., the Client Hello message ofoperation 16.1, the Server Hello message of operation 16.4, theCertificate message of operation 16.6, the Server Hello Done message ofoperation 16.8, the Client Key Exchange message of operation 16.9, theChange Cipher Spec message of operation 16.11, the Finished message ofoperation 16.13, and the Change Cipher Spec message of operation 16.16).For generating the hash, the secure session server 1620 may cache themessages that it receives from the client device 1610 and transmits tothe client device 1610 such that it may generate the hash in themessage. Alternatively the secure session server 1620 may useincremental hashing and update the hash value upon receiving eachmessage from the client device 1610 and transmitting each message to theclient device 1610 for generating the hash in the Finished message.

In addition to receiving the session keys from the key server 1630, thesecure session server 1620 may also receive the master secret from thekey server 1630. As described above the master secret may be used whenverifying information included in the Finished message received from theclient device 1610 and/or when generating the Finished message totransmit to the client device 1610.

In addition, the master secret may be used when resuming a sessionbetween the client device 1610 and the secure session server 1620.Sessions may be resumed using a stateful session resumption or using astateless session resumption. For example, when a connection isestablished by resuming a session (e.g., the client device 1610transmits a ClientHello message with a session ID of a session that iscapable of being resumed), new ClientHello.random and ServerHello.randomvalues are generated and hashed with the master secret of theestablished session. If the master secret is not transmitted to thesecure session server 1620, the secure session server 1620 may requestthe key server 1630 to hash the new ClientHello.random andServerHello.random values with the master secret and provide the resultto the secure session server 1620 to support resumption of sessions.

FIG. 16B illustrates exemplary operations for resuming a sessionaccording to the embodiment of FIG. 16A. Although not illustrated inFIG. 16B, prior to the operation 16.21, the secure session 1660 betweenthe client device 1610 and the secure session server 1620 has beenclosed. At some point later, at operation 16.21, the secure sessionserver 1620 receives a Client Hello message from the client device 1610.This Client Hello message differs from the Client Hello message ofoperation 16.1 in that it effectively includes a request to resume thesession. This Client Hello message may include a session ID that was setfor a previously established secure session (e.g., the secure session1660). The Client Hello message of operation 16.21 includes a differentrandom value than the Client Hello message of operation 16.1 (adifferent ClientHello.random value).

Embodiments may support the use of stateful session resumption and/orstateless session resumption. In the case of stateless sessionresumption, encrypted session state information is transmitted to theclient device 1610 in the form of a ticket that the client may presentback to the secure session server 1620 when requesting resumption of asession. The ticket includes session state (e.g., the cipher suite andthe master secret) and is encrypted with a key that is not known by theclient device 1610 (e.g., it may be encrypted with a key that is knownonly to the key server 1630 and/or to the secure session server 1620).The client device 1610 can request a session be resumed using theticket. In some embodiments the ticket is generated by the key server1630 whereas in other embodiments the ticket is generated by the securesession server 1620. An exemplary format of the ticket may be defined inaccordance with RFC 5077. If the secure session server 1620 isgenerating the ticket, then the key server 1630 transmits the mastersecret to the secure session server 1620. If the key server 1630 isgenerating the ticket, the secure session server 1620 may transmit arequest to the key server 1630 to generate the ticket only when theclient device 1610 indicates that it supports this extension, where thisrequest may be transmitted to the key server 1630 after the Finishedmessage transmitted by the client device 1610 in operation 16.13 hasbeen successfully verified. The key server 1630 receives the request togenerate the ticket, generates the ticket (encrypting it with a key thatis known only to the key server 1630 for example), and transmits theticket to the secure session server 1620. The secure session server 1620transmits the ticket to the client device 1610 before the Change CipherSpec message of operation 16.16 and after the Finished message of theclient device 1610 has been verified. In such embodiments, the ClientHello message of operation 16.21 includes the ticket (e.g., in aSessionTicket extension as defined in RFC 5077).

At operation 16.22, the secure session server 1620 transmits the ClientHello message to the key server 1630. This Client Hello message is thesame or substantially the same as the Client Hello message of operation16.21 and includes the request to resume the session.

Assuming that the session can be resumed (e.g., a valid ticket wasincluded in the Client Hello message of operation 16.21 or the sessionidentifier included in the Client Hello message of operation 16.21matches session information in the key server 1630 and the key server1630 is willing to re-establish the connection under the specifiedsession state), the key server 1630 generates the session keys for theresumed session (which will be different than the session keys used forthe secure session 1660) using the existing master secret generated forthe secure session 1660, the new ClientHello.random value (included inthe Client Hello message of operation 16.21), a new ServerHello.randomvalue chosen by the key server 1630, and other security parameters thathave been previously negotiated. The key server 1630 may retrieve thesession state (e.g., the master secret and cipher suite) from thecontents of the ticket (if included in the Client Hello message ofoperation 16.21) or through its session cache if resuming under statefulsession resumption. The session keys may include a client write MAC key,a server write MAC key, a client write encryption key, and a serverwrite encryption key. A client write IV and a server write IV may alsobe generated depending on the cipher used. The key server 1630 transmitsthe session keys to the secure session server 1620 at operation 16.23.

At operation 16.24, the key server transmits a Server Hello message tothe secure session server 1620 that is destined for the client device1610. This Server Hello message includes the new ServerHello.randomvalue selected by the key server 1630. At operation 16.25, the securesession server 1620 forwards the Server Hello message to the clientdevice 1610.

At operation 16.26, the key server 1630 transmits a Change Cipher Specmessage to the secure session server 1620 which is transmitted by thesecure session server 1620 to the client device 1610 at operation 16.27.The Change Cipher Spec message indicates that future messagestransmitted by the secure session server 1620 will be encrypted usingthe newly negotiated keys.

At operation 16.28, the key server 1630 transmits a Finished message tothe secure session server 1620 which is then transmitted by the securesession server 1620 to the client device 1610 at operation 16.29. TheFinished message may include an encrypted hash of all the messages inthe handshake to resume the session previously sent and received by theclient device 1610 to verify that the key exchange was successful. Inone embodiment the Finished message includes a value calculated using apseudorandom function that takes as input the master secret, a finishedlabel (e.g., a server finished label), and a hash of all of the messagesin the handshake previously received from the client device 1610 andsent to the client device 1610 for this handshake (e.g., the ClientHello message of operation 16.21, the Server Hello message of operation16.25, and the Change Cipher Spec message of operation 16.27).

At operation 16.30, the secure session server 1620 receives a ChangeCipher Spec message from the client device 1610. The Change Cipher Specmessage from the client device 1610 indicates that future messagestransmitted by the client device 1610 will be encrypted using the newlynegotiated keys. In one embodiment, at operation 16.31, the securesession server 1620 transmits the Change Cipher Spec message to the keyserver 1630. In another embodiment, the secure session server 1620 doesnot transmit the Change Cipher Spec message to the key server 1630.

At operation 16.32, the client device 1610 transmits a Finished messageto the secure session server 1620. The Finished message is encryptedusing the generated session keys. By way of example, the Finishedmessage includes an encrypted hash of all of the messages in thishandshake previously sent by and received by the client device 1610. TheFinished message is used to verify that the key exchange andauthentication processes were successful. For example, the message mayinclude a value calculated using a pseudorandom function that takes asinput the master secret, a finished label (e.g., a client finishedlabel), and a hash of all of the messages in the handshake previouslysent by the client device 1610 and received at the client device 1610.In one embodiment, the secure session server 1620 transmits the Finishedmessage to the key server 1630 at operation 16.33.

In another embodiment, the secure session server 1620 does not transmitthe Finished message to the key server 1630. If the secure sessionserver 1620 does not transmit the Finished message to the key server1630, the secure session server 1620 will verify whether the keyexchange was successful. In one embodiment, verifying that the keyexchange was successful includes using a pseudorandom function thatincludes as its input the master secret. In such an embodiment, thesecure session server 1620 may receive the master secret from the keyserver 1630. For example, verifying that the key exchange was successfulmay include the secure session server 1620 calculating a value using thesame pseudorandom function that takes as input the master secret, afinished label (e.g., a client finished label), and a hash of all of themessages in the handshake for this session that were previously sent tothe client device 1610 and received from the client device 1610 (e.g.,the Client Hello message of operation 16.21, the Server Hello message ofoperation 16.25, the Change Cipher Spec message of operation 16.27, theFinished message of operation 16.29, and the Change Cipher Spec messageof operation 16.30). That calculated value is compared with the valuereceived in the Finished message (the values should be the same if thekey exchange was successful). It should be understood that if theverification fails, the handshake does not continue. In order togenerate the hash of the messages in the handshake, the secure sessionserver 1620 may cache the messages that it receives from the clientdevice 1610 and transmits to the client device 1610 such that it maygenerate the hash for the comparison. Alternatively the secure sessionserver 1620 may use incremental hashing and update the hash value uponreceiving each message from the client device 1610 and transmitting eachmessage to the client device 1610 for generating the hash.

At operation 16.34, the key server 1630 transmits a message indicatingwhether the key exchange and authentication processes were verified asbeing successful. Assuming that the key exchange and authenticationprocesses are verified as being successful, thereafter at operation16.35 future messages between the client device 1610 and the securesession server 1620 are encrypted over the secure session 1665, whichcarry the application data of the connection.

In one embodiment, the messages transmitted between the secure sessionserver 1620 and the key server 1630 may be transmitted over a secureconnection (e.g., encrypted using SSL or TLS). The session keystransmitted to the secure session server 1620 may be encrypted in such away that the secure session server 1620 may decrypt them.

In one embodiment, the operations of 16.24, 16.26, 16.28, 16.31, 16.33,and/or 16.34 are optional. For example, in some embodiments the securesession server 1620 generates the Server Hello message instead ofreceiving it from the key server 1630. In such an embodiment, the securesession server 1620 may select a ServerHello.random value and transmitthat value to the key server 1630 prior to the key server 1630generating the session keys. As another example, in some embodiments thesecure session server 1620 generates the Change Cipher Spec message totransmit to the client device 1610 instead of it being received from thekey server 1630.

As another example, in some embodiments the secure session server 1620generates the Finished message to transmit to the client device 1610instead of it being received from the key server 1630. Generating theFinished message may include calculating a value using a pseudorandomfunction that takes as input the master secret, a finished label (e.g.,a server finished label), and a hash of all of the messages in thehandshake previously sent to the client device 1610 and received fromthe client device 1610 (e.g., the Client Hello message of operation16.21, the Server Hello message of operation 16.25, and the ChangeCipher Spec message of operation 16.27). For generating the hash, thesecure session server 1620 may cache the messages that it receives fromthe client device 1610 and transmits to the client device 1610 such thatit may generate the hash in the message. Alternatively the securesession server 1620 may use incremental hashing and update the hashvalue upon receiving each message from the client device 1610 andtransmitting each message to the client device 1610 for generating thehash in the Finished message. In order to generate the Finished message,the secure session server 1620 receives the master secret from the keyserver 1630.

As another example, in some embodiments the secure session server 1620may not transmit the Change Cipher Spec received from the client device1610 in operation 16.30 to the key server 1630 and may not transmit theFinished message received from the client device 1610 in operation 16.33to the key server 1630. In an embodiment where the Finished message isnot transmitted to the key server 1630, the secure session server 1620may perform the verification if it has access to the master secret fromthe key server 1630. For example, verifying that the key exchange wassuccessful may include the secure session server 1620 calculating avalue using a pseudorandom function that takes as input the mastersecret, a finished label (e.g., a client finished label), and a hash ofall of the messages in the handshake previously sent to the clientdevice 1610 and received from the client device 1610 (e.g., the ClientHello message of operation 16.21, the Server Hello message of operation16.25, the Change Cipher Spec message of operation 16.27, the Finishedmessage of operation 16.29, and the Change Cipher Spec message ofoperation 16.30). That calculated value is compared with the valuereceived in the Finished message of operation 16.32 (the values shouldbe the same if the key exchange was successful). It should be understoodthat if the verification fails, the handshake does not continue. Inorder to generate the hash of the messages in the handshake, the securesession server 1620 may cache the messages that it receives from theclient device 1610 and sends to the client device 1610 such that it maygenerate the hash for the comparison. Alternatively the secure sessionserver 1620 may use incremental hashing and update the hash value uponreceiving each message from the client device 1610 and transmitting eachmessage to the client device 1610.

As described above, the messages transmitted between the secure sessionserver 1620 and the key server 1630 may be transmitted over a secureconnection (e.g., encrypted using SSL or TLS). As part of establishingthe secure session, the key server 1630 may request a client certificatefrom the secure session server 1620 and the secure session server 1620may transmit a client Certificate message that includes its certificateto the key server 1630. The data in the client Certificate message isused by the key server 1630 to authenticate the identity of the securesession server 1620.

In some embodiments, the key server 1630 may use IP address blocking toaccept connections (such as from the secure session server 1620) fromonly certain IP addresses. For example, the key server 1630 may have awhitelist of IP address(es) and/or IP address range(s) that are allowedto connect to the key server 1630 or have a blacklist of IP address(es)and/or IP address range(s) that are not allowed to connect to the keyserver 1630. IP address blocking may also be used at one or moreintermediary network devices between the secure session server 1620 andthe key server 1630.

Although a secure session has been described between the secure sessionserver 1620 and the key server 1630 that is initiated by the securesession server 1620, in other embodiments the secure session can beinitiated by the key server 1630.

In some embodiments, the messages transmitted by the secure sessionserver 1620 to the key server 1630 are signed with a private key that isknown only to the secure session server 1620. In such embodiments, thekey server 1630 verifies the validity of the signature of a messageprior to acting on that message. The key server 1630 verifies whetherthe signature is valid using the corresponding public key and will onlycontinue with the operations if the signature is valid.

A combination of the security techniques described may be used toprovide security for connection between the secure session server 1620and the key server 1630. For example, a combination of requiring aclient Certificate, IP address blocking, and signing the messagestransmitted by the secure session server with a private key known onlyto the secure session server may be used to provide security for theconnection between the secure session server 1620 and the key server1630.

In one embodiment, the key server 1630 stores or has access to privatekeys for multiple domains and/or zones, which may be owned or controlledby different entities. For example, the key server 1630 may store orhave access to the private key for example.com and example2.com, whichmay be owned or controlled by different entities. In such an embodiment,the secure session server 1620 indicates the domain or zone in which theclient device 1610 is requesting a connection. For example, if theclient device 1610 is requesting a secure session with example.com, thenthe secure session server 1620 indicates to the key server 1630 thatexample.com is the requested domain. The client device 1610 may specifythe destination domain using the Server Name Indication (SNI) extensionin the Client Hello message. SNI is described in RFC 3546, June 2003. Ifthe client device 1610 includes the SNI extension in the Client Hellomessage of operation 16.1, then the Client Hello message of operation16.2 also includes the SNI extension that indicates the destinationdomain. If the destination is not specified by the client device 1610(e.g., the client device 1610 does not support SNI), then the securesession server 1620 matches the destination IP address of theclient-hello message sent by the client device 1610 with thecorresponding hostname (e.g., the secure session server 1620 may includea mapping of IP addresses and hostnames). The secure session server 1620may transmit the indication of the domain or zone name to the key server1630 in a number of different ways including in a header, a custombinary structure, or a serialization format (e.g., protobuf, JavaScriptObject Notation (JSON), etc.). After receiving the indication of thedomain or zone name in which the client is attempting to connect, thekey server 1630 accesses the corresponding private key. In anotherembodiment, a certificate fingerprint or a hash of the modulus (for RSA)may be used to identify the corresponding private key. For example, thesecure session server 1620 may generate a fingerprint over thecertificate included in the Certificate message of operation 16.6 (e.g.,a hash may be generated over the certificate) and transmit thatfingerprint value to the key server 1630. The key server 1630 uses thesame fingerprint algorithm to generate a fingerprint over its digitalcertificates and matches each to the corresponding private key. Uponreceiving the fingerprint value from the secure session server 1620, thekey server 1630 matches that fingerprint value with one of thefingerprint values it generated over the public certificate (the samepublic certificate included in the Certificate message of operation16.6) to lookup the corresponding private key. As another example, thesecure session server 1620 may hash the modulus of the public keyincluded in the certificate of the Certificate message of operation 16.6and transmit that hash value to the key server 1630. The key server 1630uses the same hash algorithm to generate a hash value over the modulusover its stored public keys and matches each to the correspondingprivate key. Upon receiving the hash value from the secure sessionserver 1620, the key server 1630 matches that hash value with one of thehash values it generated to lookup the corresponding private key.

In embodiments where a ticket is used for resuming a session aspreviously described, the key server 1630 may also renew the ticket bytransmitting a message (e.g., a NewSessionTicket message) to the securesession server 1620 which may transmit the message to the client device1610 after the Server Hello message of operation 16.25.

Although FIG. 16B illustrates the key server 1630 generating the sessionkeys after receiving a request to resume the session, in one embodimentthe secure session server 1620 generates the session keys afterreceiving a request to resume the session. For example, in an embodimentwhere the key server 1630 generates a ticket that includes the sessionstate (e.g., the master key and the cipher suite) that is encrypted witha key that is not known or shared with the client device 1610, the keyserver 1630 may transmit the key to decrypt the ticket to the securesession server 1620. Accordingly, upon receiving a request to resume asession from the client device 1610 that includes a session resumptionticket, the secure session server 1620 may decrypt the ticket with thekey received from the key server 1630, retrieve the session state fromthe contents of the ticket, and generate the session keys using theretrieved session state.

As another example, the key server 1630 may transmit the master secretto the secure session server 1620 such that secure session server 1620may use either stateful session resumption or stateless sessionresumption without requiring further interaction with the key server1630. For example in the case of stateful session resumption, the securesession server 1620 may receive the master secret from the key server1630 and store it in association with other session state parameters inits session cache (e.g., the cipher suite). Upon receiving a request toresume a session from a client that includes a session identifier of thesession to be resumed, the secure session server 1620 checks its sessioncache for a matching identifier and if found and the secure sessionserver 1620 is willing to re-establish the connection (the securesession server 1620 may deny the request to resume a session for avariety of reasons including if a lifetime of the session identifier hasbeen reached), the secure session server 1620 will use that storedsession state to generate new session keys for the resumed session. Inthe case of stateless session resumption, the secure session server 1620may receive the master secret from the key server 1630 and generate andencrypt the ticket that includes the session state information(encrypted with a ticket that may be only known to the secure sessionserver 1620). The secure session server 1620 will provide the ticket tothe client device 1310 (e.g., before the Change Cipher Spec message ofoperation 16.16 and after the Finished message of the client device 1610has been verified). Upon receiving a request to resume a session fromthe client device 1610 that includes a session resumption ticket, thesecure session server 1620 may decrypt the ticket, retrieve the sessionstate from the contents of the ticket, and generate the session keysusing the retrieved session state.

FIG. 17 is a flow diagram that illustrates exemplary operationsperformed by the secure session server for establishing a secure sessionimplemented with public-key cryptography between a client device and asecure session server where the secure session server does not haveaccess to a private key for the requested domain according to anotherembodiment. The private key is stored remotely from the secure sessionserver (e.g., on a key server). For example, in the embodiment describedwith reference to FIG. 17, the secure session server proxies themessages of the handshake between the client device and the key serverwhere the key server generates and transmits to the secure sessionserver the set of session keys to be used during the secure sessionbetween the client device and the secure session server.

At operation 1710, the secure session server receives a message from theclient device that initiates a procedure to establish a secure sessionwith the client device and transmits the message to a key server. Forexample, the secure session server may receive a Client Hello messagefrom the client device (e.g., an SSL or TLS Client Hello message).Depending on the protocol and capabilities of the client device, themessage may indicate the destination host name in which the clientdevice wishes to establish a secure session (e.g., the Client Hellomessage may include the Server Name Indication (SNI) extension andspecify the destination host name). The message may also include randomdata used for cryptographic purposes (sometimes referred to asClientHello.random), and may indicate whether and what type ofextensions (defined by the protocol) the client supports.

The secure session server may be terminating secure session connectionsfor multiple domains that are owned by different entities and therespective private keys for those domains may be stored on different keyservers. If the secure session server is supporting multiple domainswhose respective private keys are stored on different key servers, thesecure session server determines which key server it will transmit themessage received from the client device. For example, if the clientdevice specifies the destination domain using the SNI extension in theClient Hello message, the secure session server uses the destinationdomain to determine which key server the Client Hello message should betransmitted to. If the client device does not specify the destinationdomain using the SNI extension, then the secure session server matchesthe destination IP address of the message received from the clientdevice with the corresponding hostname to determine which key server todetermine which key server the message should be transmitted to (e.g.,the secure session server may include a mapping of IP addresses andhostnames). The secure session server may also transmit the destinationhostname to the key server (e.g., if the SNI extension is not used bythe client device).

Flow then moves to operation 1715 where the secure session serverreceives a digital certificate from the key server and transmits thedigital certificate to the client device. The digital certificateincludes a public key for the requested domain. It should be understoodthat the private key that corresponds to the public key is not stored onthe secure session server (e.g., it is stored remotely on a key server).The digital certificate may be transmitted in an SSL or TLS Certificatemessage. Prior to receiving the digital certificate from the key server,the secure session server may receive a Server Hello message from thekey server and transmit the Server Hello message to the client device.After receiving the digital certificate from the key server, the securesession server may receive a Server Hello Done message from the keyserver and transmit the Server Hello Done message to the client device.Flow then moves to operation 1720.

At operation 1720, the secure session server receives from the clientdevice a premaster secret that has been encrypted using the public keyin the digital certificate transmitted in operation 1715 and transmitsthe encrypted premaster secret to the key server. The encryptedpremaster secret may be sent by the client device in a SSL or TLS ClientKey Exchange message. Flow moves from operation 1720 to operation 1725.

In response to receiving the encrypted premaster secret, the key serverdecrypts the encrypted premaster secret to obtain the premaster secretusing the appropriate private key. Using the premaster secret along withother values (e.g., the ClientHello.random value and theServerHello.random value), the key server generates the master secret.The client device will also generate the same master secret. The keyserver will also generate the session keys that will be used to encryptand decrypt information during the secure session between the clientdevice and the secure session server. By way of a specific example, themaster secret is used along with other information to generate a clientwrite MAC key, a server write MAC key, a client write encryption key,and a server write encryption key. A client write IV and a server writeIV may also be generated depending on the cipher used.

The secure session server may also receive from the client device andtransmit to the key server a message that indicates that future messagestransmitted by the client device will be encrypted (e.g., a ChangeCipher Spec message). In addition, the secure session server may alsoreceive from the client device and transmit to the key server a messagethat has been encrypted using the session keys (e.g., a Finishedmessage).

At operation 1725, the secure session server receives a set of sessionkeys from the key server for encrypting and decrypting communication forthe secure session between the client device and the secure sessionserver. The secure session server may also receive from the key serverand transmit to the client device a message that indicates that futuremessages transmitted by the secure session server will be encrypted(e.g., a Change Cipher Spec message). In addition, the secure sessionserver may also receive from the key server and transmit to the clientdevice a message that has been encrypted using the session keys (e.g., aFinished message). The secure session server may also receive the mastersecret from the key server, which may be used for resuming the securesession.

Flow then moves to operation 1730 where future messages sent between theclient device and the secure session server over the secure session willbe encrypted and decrypted using the set of session keys received fromthe key server. For example, the client write key is used by the clientdevice to encrypt data and used by the secure session server to decryptdata received from the client device, the client write MAC key is usedto authenticate data written by the client device, the server write keyis used by the secure session server to encrypt data and used by theclient device to decrypt data received from the secure session server,and the server write MAC key is used to authenticate data written by thesecure session server.

FIG. 18 is a flow diagram that illustrates exemplary operationsperformed by a key server for establishing a secure session connectionbetween a client device and a secure session server that will terminatethe secure session connection according to one embodiment. At operation1810, the key server receives a message from a secure session serverthat a client is requesting a secure session with the secure sessionserver. For example, the message may be a Client Hello message thatoriginated from a client device. The secure session server may alsotransmit an indication of the destination host name in which the clientdevices wishes to establish a secure session. For example, the ClientHello message may include the SNI extension that specifies thedestination host name. As another example, the secure session server mayotherwise indicate to the key server the destination host name if theClient Hello message does not include the SNI extension. The message mayalso include random data used for cryptographic purposes (sometimesreferred to as ClientHello.random), and may indicate whether and whattype of extensions (defined by the protocol) the client supports. Flowmoves from operation 1810 to operation 1815.

At operation 1815, the key server transmits a message to the securesession server that is destined for the client in response to themessage received at operation 1810. For example, the message may be aServer Hello message. This message may include the version of the SSL orTLS protocol supported, a session identifier that will be used toidentify the session, the selected cipher suite (selected from the listof cipher suites included in the message received in operation 1810),random data used for cryptographic purposes that is different than therandom data included in the ClientHello message (sometimes referred toas ServerHello.random), and may also include a list of the extensionsthat the server supports. Flow then moves to operation 1820.

At operation 1820, the key server transmits a digital certificate to thesecure session server that is destined for the client for the requesteddomain. The digital certificate may be included in a Certificatemessage. The digital certificate includes a public key for the requesteddomain. Flow then moves to operation 1825 where the key server transmitsa message to the secure session server that is destined for the clientthat indicates that the hello-message phase of the handshake is completeand the client can proceed with its phase of the key exchange. Forexample, this message may be a Server Hello Done message.

Flow then moves to operation 1830 where the key server receives from thesecure session server a message that includes an encrypted premastersecret set by the client (encrypted with the public key included in thecertificate sent to the client). For example, the message may be aClient Key Exchange message.

Flow then moves to operation 1835 where the key server accesses thecorresponding private key and decrypts the encrypted premaster secret.Flow then moves to operation 1840 where the key server generates amaster secret using at least the decrypted premaster secret. By way of aspecific example, the key server may generate the master secret using apseudorandom function that takes as input at least the premaster secret,the ClientHello.random value, and the ServerHello.random value. Theclient device will use the same pseudorandom function over the sameinput to compute the same master secret. Flow then moves to operation1845.

At operation 1845, the key server generates a set of session keys to beused in the secure session between the client device and the securesession server for encrypting and decrypting communication between theclient device and the secure session server. Generating the session keysincludes at least the use of the master secret and may include othersecurity parameters that have been negotiated between the client and thekey server. For example, the other security parameters may include theClientHello.random value, the ServerHello.random value, and anindication of the negotiated cipher suite (e.g., the information mayspecify the negotiated cipher suite that defines the cipherspecification (the key server may look up the parameters of the cipherspecification) or may specify parameters of the negotiated cipher suitefor generating the session keys including information identifying thepseudorandom function (PRF) algorithm, encrypted key length, fixed IVlength, and MAC key length). The session keys may include a client writeMAC key, a server write MAC key, a client write encryption key, and aserver write encryption key. A client write Initialization Vector (IV)and a server write IV may also be generated depending on the cipherused. Flow moves from operation 1845 to operation 1850.

The key server may also receive from the secure session server a messagethat indicates that future messages transmitted by the client will beencrypted (e.g., a Change Cipher Spec message). The key server may alsoreceive from the secure session server a message that originates fromthe client that is encrypted using the generated session keys and isused to verify that the key exchange and authentication processes weresuccessful (e.g., a Finished message).

At operation 1850, the key server transmits the set of session keys tothe secure session server for use in the secure session between theclient and the secure session server. The key server may also transmitto the secure session server that is destined for the client a messagethat indicates that future messages transmitted by the server will beencrypted (e.g., a Change Cipher Spec message) and/or a message that isencrypted using the generated session keys and is used by the client toverify that the key exchange and authentication processes weresuccessful (e.g., a Finished message).

In addition to transmitting the session keys to the secure sessionserver, the key server may also transmit the generated master secret tothe secure session server. The generated master secret may be used whenverifying the information included in the Finished message received fromthe client and when generating the Finished message to transmit to theclient. In addition, the master secret may be used when resuming asession between the client device and the secure session server. Forexample, when a connection is established by resuming a session (e.g.,the client transmits a ClientHello message with a session ID of asession that is capable of being resumed), new ClientHello.random andServerHello.random values are generated and hashed with the mastersecret of the established session. If the master secret is nottransmitted to the secure session server, the secure session server mayrequest the key server to hash the new ClientHello.random andServerHello.random values with the master secret and provide the resultto the secure session server to support resumption of sessions.

If the master secret is not transmitted to the secure session server,the secure session server may transmit the value included in theFinished message received from the client device or the entire Finishedmessage to the key server to verify that the key exchange wassuccessful. The secure session server may generate the hash value andtransmit it to the key server for use in the verification. In such anembodiment, the key server responds to the secure session server whetherthe key exchange was verified as successful. It should be understoodthat if the key exchange is not verified, the handshake will notcontinue.

In an alternative embodiment, instead of generating the Finished message(e.g., if the secure session server does not have access to the mastersecret), the secure session server transmits a request to the key serverto generate the value to be included in the Finished message or togenerate the entire Finished message that will be transmitted to theclient device. The secure session server may also generate the hashvalue and transmit it to the key server for use in generating the valueincluded in the Finished message. In such an embodiment, the key serverresponds to the secure session server with either the generated value tobe included in the Finished message or the generated Finished messagethat includes the generated value.

As described above, the messages transmitted between the secure sessionserver and the key server may be over a secure session. As part ofestablishing the secure session between the key server and the securesession server, the key server may request a client certificate from thesecure session server in order to authenticate the identity of thesecure session server. In some embodiments, the key server may use IPaddress based blocking to verify that the key server is communicatingwith a legitimate secure session server (e.g., by verifying that thesecure session server is communicating with an IP address having a valuethat is expected by the key server). In some embodiments, the connectionbetween the key server and the secure session server is a VPNconnection. In some embodiments, the messages transmitted by the securesession server to the key server are signed with a private key that isknown only to the secure session server. In such embodiments, the keyserver verifies the validity of the signature of a message prior toacting on that message. In some embodiments, any combination of thesesecurity techniques may be used.

FIG. 19A illustrates another embodiment for establishing a securesession between a client device and a secure session server where thesecure session server does not have access to the private key usedduring the secure session handshake. Similar to the embodiment describedin FIG. 7, the embodiment described in FIG. 19A describes the messageswhere the cipher suite chosen requires the use of a Server Key Exchangemessage (e.g., a Diffie-Hellman cipher suite is used such as DHE_RSA,DHE_DSS, ECDHE_RSA, or ECDHE_ECDSA). The client device 1910 (includingthe client network application 1915) is similar to the client device 110of FIG. 1. The secure session server 1920, including the secure sessionmodule 1940 and the optional certificate(s) 1945, are similar to thesecure session server 120 (including the secure session module 140 andthe certificate(s) 145), but perform different operations as will bedescribed below. The key server 1930 is similar to the key server 130 ofFIG. 1, but performs different operations as will be described below.

At operation 19.1, the client device 1910 transmits a Client Hellomessage to the secure session server 1920. This Client Hello message issimilar to the Client Hello message described in operation 1.1 ofFIG. 1. At operation 19.2, the secure session server 1920 transmits theClient Hello message to the key server 1930.

In response to the Client Hello message, at operation 19.3 the keyserver 1930 transmits a Server Hello message to the secure sessionserver 1920. This Server Hello message is similar to the Server Hellomessage described in operation 1.2 of FIG. 1. At operation 19.4, thesecure session server 1920 transmits the Server Hello message to theclient device 1910.

The key server 1930 also transmits a Certificate message to the securesession server 1920 at operation 19.5. This Certificate message issimilar to the Certificate message described in operation 1.3 of FIG. 1.At operation 19.6, the secure session server 1920 transmits theCertificate message to the client device 1910.

With reference to the embodiment illustrated in FIG. 19A, the ciphersuite that is used has a key exchange in which the certificate messagetransmitted in operation 19.6 does not include enough data to allow theclient device 1910 to generate a premaster secret. For example, theselected cipher suite may use Diffie-Hellman as the key exchangemechanism (e.g., DHE_RSA, DHE_DSS, ECDHE_ECDSA, or ECDHE_RSA). Becauseof this, a message is transmitted to the client device 1910 that conveyscryptographic information to allow the client device 1910 to generatethe premaster secret. By way of a specific example where the keyexchange mechanism is Diffie-Hellman such as DHE_DSS or DHE_RSA, thecryptographic information includes a set of cryptographic parametersthat may include the following: the prime modulus used for theDiffie-Hellman operation (p), the generator used for the Diffie-Hellmanoperation (g), and a Diffie-Hellman public value of the server (ĝX modp, where X is the Diffie-Hellman private value of the server). Asanother specific example where the key exchange mechanism is ECDHE suchas ECDHE_ECDSA or ECDHE_RSA, the cryptographic parameters include theEphemeral ECDH public key and a specification of the corresponding curve(the corresponding elliptic curve domain parameters) (e.g., as definedin RFC 4492). The message that conveys the cryptographic information isreferred to as a Server Key Exchange message. The cryptographicinformation of the Server Key Exchange message may need to be signedwith the private key 1950 corresponding to the public key that theserver transmitted in the Certificate message transmitted in operation19.6 (e.g., if the key exchange mechanism is DHE_RSA, DHE_DSS,ECDHE_ECDSA, or ECDHE_RSA). For example, private key 1950 may be used tosign the set of cryptographic parameters, the ClientHello.random value,and the ServerHello.random value. As similarly described with respect tothe embodiment discussed in FIG. 1, the secure session server 1920 doesnot have local access to this private key 1950. As a result, the securesession server 1920 cannot sign the Server Key Exchange message withthis private key 1950.

At operation 19.7, the key server 1930 transmits the Server Key Exchangemessage to the secure session server 1920. Since the key server 1930 hasaccess to the private key 1950, the key server 1930 generates thecryptographic parameters and signs them using the private key 1950. Inthis embodiment, the private key 1950 is typically an RSA key if the keyexchange mechanism is DHE_RSA or ECDHE_RSA, and is typically a DigitalSignature Algorithm (DSA) key if the key exchange mechanism is DHE_DSSor an ECDSA key if the key exchange mechanism is ECDHE_ECDSA. Thus theServer Key Exchange message includes the signed cryptographicparameters. At operation 19.8, the secure session server 1920 transmitsthe Server Key Exchange message to the client device 1910.

At operation 19.9, the key server 1930 transmits a Server Hello Donemessage to the secure session server 1920 that the secure session server1920 transmits to the client device 1910 at operation 19.10. The ServerHello done message indicates that the hello-message phase of thehandshake is complete.

At operation 19.11, the secure session server 1920 receives a Client KeyExchange message from the client device 1910. The Client Key Exchangemessage transmitted in operation 19.11 does not include the encryptedpremaster secret. Rather, this Client Key Exchange message includesinformation necessary to generate the same premaster secret as theclient generated (e.g., it includes the client's Diffie-Hellman publicvalue). At operation 19.12, the secure session server 1920 transmits theClient Key Exchange message to the key server 1930.

The key server 1930 generates the premaster secret using the client'sDiffie-Hellman public value (received in the Client Key Exchangemessage) and its Diffie-Hellman private value. The key server 1930 usesthe premaster secret to calculate the master secret. The client device1910 and the key server 1930 use the same algorithm and data tocalculate the same master secret. By way of example, the master secretis calculated using a pseudorandom function that takes as input thepremaster secret, the ClientHello.random value, and theServerHello.random value.

The master secret is used by the client device 1910 and the key server1930 to generate session keys that are used to encrypt and decryptinformation during the secure session. By way of example, generating thesession keys includes at least the use of the master secret and mayinclude other security parameters that have been negotiated between theclient and the key server including the ClientHello.random value, theServerHello.random value, and an indication of the negotiated ciphersuite (e.g., the information may specify the negotiated cipher suitethat defines the cipher specification (the key server may look up theparameters of the cipher specification) or may specify parameters of thenegotiated cipher suite for generating the session keys includinginformation identifying the pseudorandom function (PRF) algorithm,encrypted key length, fixed IV length, and MAC key length. By way of aspecific example, the master secret is used to generate a client writeMAC key, a server write MAC key, a client write encryption key, and aserver write encryption key. A client write Initialization Vector (IV)and a server write IV may also be generated depending on the cipherused.

At operation 19.13, the key server 1930 transmits the set of sessionkeys to the secure session server 1920 which will be used by the securesession server 1920 to encrypt and decrypt messages during the securesession between the client device 1910 and the secure session server1920.

At operation 19.14, the secure session server 1920 receives a ChangeCipher Spec message from the client device 1910 which indicates thatfuture messages transmitted by the client device 1910 will be encryptedusing the set of session keys. The secure session server 1920 transmitsthe Change Cipher Spec message to the key server 1930 at operation19.15.

At operation 19.16, the secure session server 1920 receives a Finishedmessage from the client device 1910 that is encrypted using thegenerated session keys and includes an encrypted hash of all of themessages in the handshake previously sent and received (previously sentand received to the client device 1910). The Finished message is used toverify that the key exchange and authentication processes weresuccessful. By way of example, the message may include a valuecalculated using a pseudorandom function that takes as input the mastersecret, a finished label (e.g., a client finished label), and a hash ofall of the message in the handshake previously sent by and to the clientdevice 1910. The secure session server 1920 transmits the Finishedmessage to the key server 1930 at operation 19.17. The key server 1930will verify whether key exchange process was successful with techniquesas previously described herein.

At operation 19.18, the secure session server 1920 receives a ChangeCipher Spec message from the key server 1930 and transmits the ChangeCipher Spec message to the client device 1910 at operation 19.19. TheChange Cipher Spec indicates to the client device 1910 that futuremessages transmitted by the secure session server 1920 will be encryptedusing the generated session keys.

At operation 19.20, the secure session server 1920 receives a Finishedmessage from the key server 1930. The Finished message may include anencrypted hash of all of the messages in the handshake previously sentand received between the client device 1910 and the secure sessionserver 1920. For example, the message may include a value calculatedusing a pseudorandom function that takes as input the master secret, afinished label (e.g., a server finished label), and a hash of all of themessages in the handshake previously sent and received. The securesession server 1920 transmits the Finished message to the client device1910 at operation 19.21.

Thereafter, at operation 19.22, future messages of the secure sessionbetween the client device 1910 and secure session server 1920 areencrypted over the secure session 1960, which carry the application dataof the connection.

In one embodiment, the messages transmitted between the secure sessionserver 1910 and the key server 1920 may be transmitted over a secureconnection (e.g., encrypted using SSL or TLS). The session keystransmitted to the secure session server 1910 in operation 19.13 may beencrypted in such a way that the secure session server may decrypt them.

In one embodiment, the operations of 19.15, 19.17, 19.18, and/or 19.20optional. For example, the secure session server 1920 may not forwardthe Change Cipher Spec message to the key server 1930. In oneembodiment, instead of transmitting the Change Cipher Spec of operation19.15 and the Finished message of operation 19.17 and instead ofreceiving the Change Cipher Spec of operation 19.18 and the Finishedmessage of operation 19.20, the secure session server 1920 performs thekey exchange verification of the value in the Finished message 19.16 andgenerates and transmits the Change Cipher Spec and Finish message to theclient device 1910.

In order to perform the key exchange verification using the informationincluded in the Finished message of operation 19.16, the secure sessionserver 1920 may receive the master secret from the key server 1930 inaddition to the session keys. In one embodiment, verifying that the keyexchange was successful includes using a pseudorandom function thatincludes as its input the master secret. For example, verifying that thekey exchange was successful may include the secure session server 1920calculating a value using the same pseudorandom function that takes asinput the master secret, a finished label (e.g., a client finishedlabel), and a hash of all of the messages in the handshake previouslysent to the client device 1910 and received from the client device 1910(e.g., the Client Hello message of operation 19.1, the Server Hellomessage of operation 19.4, the Certificate message of operation 19.6,the Server Key Exchange message of operation 19.8, the Server Hello Donemessage of operation 19.10, the Client Key Exchange message of operation19.11, and the Change Cipher Spec message of operation 19.14). Thatcalculated value is compared with the value received in the Finishedmessage (the values should be the same if the key exchange wassuccessful). It should be understood that if the verification fails, thehandshake does not continue. In order to generate the hash of themessages in the handshake, the secure session server 1920 may cache themessages that it receives from the client device 1910 and transmits tothe client device 1910 such that it may generate the hash for thecomparison. Alternatively the secure session server 1920 may useincremental hashing and update the hash value upon receiving eachmessage from the client device 1910 and transmitting each message to theclient device 1910 for generating the hash.

The secure session server 1920 may generate and transmit a Change CipherSpec message to the client device 1910 and generate and transmit aFinished message to the to the client device 1910. If generating theFinished message, the secure session server 1920 may cache the messagesthat it receives from the client device 1910 and transmits to the clientdevice 1910 such that it may generate the encrypted hash in the message.Alternatively the secure session server 1920 may use incremental hashingand update the hash value upon receiving each message from the clientdevice 1910 and transmitting each message to the client device 1910 togenerate the hash in the Finished message. Generating the Finishedmessage may include calculating a value using a pseudorandom functionthat takes as input the master secret (which is received from the keyserver 1930), a finished label (e.g., a server finished label), and ahash of all of the messages in the handshake previously sent to theclient device 1910 and received from the client device 1910 (e.g., theClient Hello message of operation 19.1, the Server Hello message ofoperation 19.4, the Certificate message of operation 19.6, the ServerKey Exchange message of operation 19.8, the Server Hello Done message ofoperation 19.10, the Client Key Exchange message of operation 19.11, theChange Cipher Spec message of operation 19.14, the Finished message ofoperation 19.16, and the Change Cipher Spec message of operation 19.19).

In addition to receiving the session keys from the key server 1930, thesecure session server 1920 may also receive the generated master secretfrom the key server 1930. The generated master secret may be used whenverifying the information included in the Finished message received fromthe client device 1910 and when generating the Finished message totransmit to the client device 1910 as previously described herein. Inaddition, the master secret may be used when resuming a session betweenthe client device 1910 and the secure session server 1920. For example,when a connection is established by resuming a session (e.g., the clienttransmits a ClientHello message with a session ID of a session that iscapable of being resumed), new ClientHello.random and ServerHello.randomvalues are generated and hashed with the master secret of theestablished session. If the master secret is not transmitted to thesecure session server 1920, the secure session server 1920 may requestthe key server 1930 to hash the new ClientHello.random andServerHello.random values with the master secret and provide the resultto the secure session server 1920 to support resumption of sessions.

FIG. 19B illustrates exemplary operations for resuming a sessionaccording to the embodiment of FIG. 19A. Although not illustrated inFIG. 19B, prior to the operation 19.23, the secure session 1960 betweenthe client device 1910 and the secure session server 1920 has beenclosed. At some point later, at operation 19.23, the secure sessionserver 1920 receives a Client Hello message from the client device 1910.This Client Hello message differs from the Client Hello message ofoperation 19.1 in that it effectively includes a request to resume thesession. This Client Hello message may include a session ID that was setfor a previously established secure session (e.g., the secure session1960). The Client Hello message of operation 19.23 includes a differentrandom value than the Client Hello message of operation 19.1 (adifferent ClientHello.random value).

Embodiments may support the use of stateful session resumption and/orstateless session resumption. In the case of stateless sessionresumption, encrypted session state information is transmitted to theclient device 1910 in the form of a ticket that the client may presentback to the secure session server 1920 when requesting resumption of asession. The ticket includes session state (e.g., the cipher suite andthe master secret) and is encrypted with a key that is not known by theclient device 1910 (e.g., it may be encrypted with a key that is knownonly to the key server 1930 and/or to the secure session server 1920).The client device 1910 can request a session be resumed using theticket. In some embodiments the ticket is generated by the key server1930 whereas in other embodiments the ticket is generated by the securesession server 1920. An exemplary format of the ticket may be defined inaccordance with RFC 5077. If the secure session server 1920 isgenerating the ticket, then the key server 1930 transmits the mastersecret to the secure session server 1920. If the key server 1930 isgenerating the ticket, the secure session server 1920 may transmit arequest to the key server 1930 to generate the ticket only when theclient device 1910 indicates that it supports this extension, where thisrequest may be transmitted to the key server 1930 after the Finishedmessage transmitted by the client device 1910 has been successfullyverified. The key server 1930 receives the request to generate theticket, generates the ticket (encrypting it with a key that is knownonly to the key server 1930 for example), and transmits the ticket tothe secure session server 1920. The secure session server 1920 transmitsthe ticket to the client device 1910 before the Change Cipher Specmessage of operation 19.19 and after the Finished message of the clientdevice 1910 has been verified. In such embodiments, the Client Hellomessage of operation 19.23 includes the ticket (e.g., in a SessionTicketextension as defined in RFC 5077).

At operation 19.24, the secure session server 1920 transmits the ClientHello message to the key server 1930. This Client Hello message is thesame or substantially the same as the Client Hello message of operation19.23 and includes the request to resume the session.

Assuming that the session can be resumed (e.g., a valid ticket wasincluded in the Client Hello message of operation 19.23 or the sessionidentifier included in the Client Hello message of operation 19.23matches session information in the key server 1930 and the key server1930 is willing to re-establish the connection under the specifiedsession state), the key server 1930 generates the session keys for theresumed session (which will be different than the session keys used forthe secure session 1960) using the existing master secret generated forthe secure session 1960, the new ClientHello.random value (included inthe Client Hello message of operation 19.23), a new ServerHello.randomvalue chosen by the key server 1930, and other security parameters thathave been previously negotiated. The key server 1930 may retrieve thesession state (e.g., the master secret and cipher suite) from thecontents of the ticket (if included in the Client Hello message ofoperation 19.23) or through its session cache if resuming under statefulsession resumption. The session keys may include a client write MAC key,a server write MAC key, a client write encryption key, and a serverwrite encryption key. A client write IV and a server write IV may alsobe generated depending on the cipher used. The key server 1930 transmitsthe session keys to the secure session server 1920 at operation 19.25.

At operation 19.26, the key server transmits a Server Hello message tothe secure session server 1920 that is destined for the client device1910. This Server Hello message includes the new ServerHello.randomvalue selected by the key server 1930. At operation 19.27, the securesession server 1920 forwards the Server Hello message to the clientdevice 1910.

At operation 19.28, the key server 1930 transmits a Change Cipher Specmessage to the secure session server 1920 which is transmitted by thesecure session server 1920 to the client device 1910 at operation 19.29.The Change Cipher Spec message indicates that future messagestransmitted by the secure session server 1920 will be encrypted usingthe newly negotiated keys.

At operation 19.30, the key server 1930 transmits a Finished message tothe secure session server 1920 which is then transmitted by the securesession server 1920 to the client device 1910 at operation 19.31. TheFinished message may include an encrypted hash of all the messages inthe handshake to resume the session previously sent and received by theclient device 1910 to verify that the key exchange was successful. Inone embodiment the Finished message includes a value calculated using apseudorandom function that takes as input the master secret, a finishedlabel (e.g., a server finished label), and a hash of all of the messagesin the handshake previously received from the client device 1910 andsent to the client device 1910 for this handshake (e.g., the ClientHello message of operation 19.23, the Server Hello message of operation19.27, and the Change Cipher Spec message of operation 19.29).

At operation 19.32, the secure session server 1920 receives a ChangeCipher Spec message from the client device 1910. The Change Cipher Specmessage from the client device 1910 indicates that future messagestransmitted by the client device 1910 will be encrypted using the newlynegotiated keys. In one embodiment, at operation 19.33, the securesession server 1920 transmits the Change Cipher Spec message to the keyserver 1930. In another embodiment, the secure session server 1920 doesnot transmit the Change Cipher Spec message to the key server 1930.

At operation 19.34, the client device 1910 transmits a Finished messageto the secure session server 1920. The Finished message is encryptedusing the generated session keys. By way of example, the Finishedmessage includes an encrypted hash of all of the messages in thishandshake previously sent by and received by the client device 1910. TheFinished message is used to verify that the key exchange andauthentication processes were successful. For example, the message mayinclude a value calculated using a pseudorandom function that takes asinput the master secret, a finished label (e.g., a client finishedlabel), and a hash of all of the messages in the handshake previouslysent by the client device 1910 and received at the client device 1910.In one embodiment, the secure session server 1920 transmits the Finishedmessage to the key server 1930 at operation 19.35.

In another embodiment, the secure session server 1920 does not transmitthe Finished message to the key server 1930. If the secure sessionserver 1920 does not transmit the Finished message to the key server1930, the secure session server 1920 will verify whether the keyexchange was successful. In one embodiment, verifying that the keyexchange was successful includes using a pseudorandom function thatincludes as its input the master secret. In such an embodiment, thesecure session server 1920 may receive the master secret from the keyserver 1930. For example, verifying that the key exchange was successfulmay include the secure session server 1920 calculating a value using thesame pseudorandom function that takes as input the master secret, afinished label (e.g., a client finished label), and a hash of all of themessages in the handshake for this session that were previously sent tothe client device 1910 and received from the client device 1910 (e.g.,the Client Hello message of operation 19.23, the Server Hello message ofoperation 19.27, the Change Cipher Spec message of operation 19.29, theFinished message of operation 19.31, and the Change Cipher Spec messageof operation 19.32). That calculated value is compared with the valuereceived in the Finished message (the values should be the same if thekey exchange was successful). It should be understood that if theverification fails, the handshake does not continue. In order togenerate the hash of the messages in the handshake, the secure sessionserver 1920 may cache the messages that it receives from the clientdevice 1910 and transmits to the client device 1910 such that it maygenerate the hash for the comparison. Alternatively the secure sessionserver 1920 may use incremental hashing and update the hash value uponreceiving each message from the client device 1910 and transmitting eachmessage to the client device 1910 for generating the hash.

At operation 19.36, the key server 1930 transmits a message indicatingwhether the key exchange and authentication processes were verified asbeing successful. Assuming that the key exchange and authenticationprocesses are verified as being successful, thereafter at operation19.37 future messages between the client device 1910 and the securesession server 1920 are encrypted over the secure session 1965, whichcarry the application data of the connection.

In one embodiment, the messages transmitted between the secure sessionserver 1920 and the key server 1930 may be transmitted over a secureconnection (e.g., encrypted using SSL or TLS). The session keystransmitted to the secure session server 1920 may be encrypted in such away that the secure session server 1920 may decrypt them.

In one embodiment, the operations of 19.26, 19.28, 19.30, 19.33, 19.35,and/or 19.36 are optional. For example, in some embodiments the securesession server 1920 generates the Server Hello message instead ofreceiving it from the key server 1930. In such an embodiment, the securesession server 1920 may select a ServerHello.random value and transmitthat value to the key server 1930 prior to the key server 1930generating the session keys. As another example, in some embodiments thesecure session server 1920 generates the Change Cipher Spec message totransmit to the client device 1910 instead of it being received from thekey server 1930.

As another example, in some embodiments the secure session server 1920generates the Finished message to transmit to the client device 1910instead of it being received from the key server 1930. Generating theFinished message may include calculating a value using a pseudorandomfunction that takes as input the master secret, a finished label (e.g.,a server finished label), and a hash of all of the messages in thehandshake previously sent to the client device 1910 and received fromthe client device 1910 (e.g., the Client Hello message of operation19.23, the Server Hello message of operation 19.27, and the ChangeCipher Spec message of operation 19.29). For generating the hash, thesecure session server 1920 may cache the messages that it receives fromthe client device 1910 and transmits to the client device 1910 such thatit may generate the hash in the message. Alternatively the securesession server 1920 may use incremental hashing and update the hashvalue upon receiving each message from the client device 1910 andtransmitting each message to the client device 1910 for generating thehash in the Finished message. In order to generate the Finished message,the secure session server 1920 receives the master secret from the keyserver 1930.

As another example, in some embodiments the secure session server 1920may not transmit the Change Cipher Spec received from the client device1910 in operation 19.32 to the key server 1930 and may not transmit theFinished message received from the client device 1910 in operation 19.35to the key server 1930. In an embodiment where the Finished message isnot transmitted to the key server 1930, the secure session server 1920may perform the verification if it has access to the master secret fromthe key server 1930. For example, verifying that the key exchange wassuccessful may include the secure session server 1920 calculating avalue using a pseudorandom function that takes as input the mastersecret, a finished label (e.g., a client finished label), and a hash ofall of the messages in the handshake previously sent to the clientdevice 1910 and received from the client device 1910 (e.g., the ClientHello message of operation 19.23, the Server Hello message of operation19.27, the Change Cipher Spec message of operation 19.29, the Finishedmessage of operation 19.31, and the Change Cipher Spec message ofoperation 19.32). That calculated value is compared with the valuereceived in the Finished message of operation 19.34 (the values shouldbe the same if the key exchange was successful). It should be understoodthat if the verification fails, the handshake does not continue. Inorder to generate the hash of the messages in the handshake, the securesession server 1920 may cache the messages that it receives from theclient device 1910 and sends to the client device 1910 such that it maygenerate the hash for the comparison. Alternatively the secure sessionserver 1920 may use incremental hashing and update the hash value uponreceiving each message from the client device 1910 and transmitting eachmessage to the client device 1910.

As described above, the messages transmitted between the secure sessionserver 1920 and the key server 1930 may be transmitted over a secureconnection (e.g., encrypted using SSL or TLS). As part of establishingthe secure session, the key server 1930 may request a client certificatefrom the secure session server 1920 and the secure session server 1920may transmit a client Certificate message that includes its certificateto the key server 1930. The data in the client Certificate message isused by the key server 1930 to authenticate the identity of the securesession server 1920.

In some embodiments, the key server 1930 may use IP address blocking toaccept connections (such as from the secure session server 1920) fromonly certain IP addresses. For example, the key server 1930 may have awhitelist of IP address(es) and/or IP address range(s) that are allowedto connect to the key server 1930 or have a blacklist of IP address(es)and/or IP address range(s) that are not allowed to connect to the keyserver 1930. IP address blocking may also be used at one or moreintermediary network devices between the secure session server 1920 andthe key server 1930.

Although a secure session has been described between the secure sessionserver 1920 and the key server 1930 that is initiated by the securesession server 1920, in other embodiments the secure session can beinitiated by the key server 1930.

In some embodiments, the messages transmitted by the secure sessionserver 1920 to the key server 1930 are signed with a private key that isknown only to the secure session server 1920. In such embodiments, thekey server 1930 verifies the validity of the signature of a messageprior to acting on that message. The key server 1930 verifies whetherthe signature is valid using the corresponding public key and will onlycontinue with the operations if the signature is valid.

A combination of the security techniques described may be used toprovide security for the connection between the secure session server1920 and the key server 1930. For example, a combination of requiring aclient Certificate, IP address blocking, and signing the messagestransmitted by the secure session server with a private key known onlyto the secure session server may be used to provide security for theconnection between the secure session server 1920 and the key server1930.

In one embodiment, the key server 1930 stores or has access to privatekeys for multiple domains and/or zones, which may be owned or controlledby different entities. For example, the key server 1930 may store orhave access to the private key for example.com and example2.com, whichmay be owned or controlled by different entities. In such an embodiment,the secure session server 1920 indicates the domain or zone in which theclient device 1910 is requesting a connection. For example, if theclient device 1910 is requesting a secure session with example.com, thenthe secure session server 1920 indicates to the key server 1930 thatexample.com is the requested domain. The client device 1910 may specifythe destination domain using the SNI extension in the Client Hellomessage. If the destination is not specified by the client device 1910(e.g., the client device 1910 does not support SNI), then the securesession server 1920 matches the destination IP address of theclient-hello message sent by the client device 1910 with thecorresponding hostname (e.g., the secure session server 1920 may includea mapping of IP addresses and hostnames). The secure session server 1920may transmit the indication of the domain or zone name to the key server1930 in a number of different ways including in a header, a custombinary structure, or a serialization format (e.g., protobuf, JavaScriptObject Notation (JSON), etc.). After receiving the indication of thedomain or zone name in which the client is attempting to connect, thekey server 1330 accesses the corresponding private key. In anotherembodiment, a certificate fingerprint or a hash of the modulus (for RSA)may be used to identify the corresponding private key. For example, thesecure session server 1920 may generate a fingerprint over thecertificate included in the Certificate message of operation 19.6 (e.g.,a hash may be generated over the certificate) and transmit thatfingerprint value to the key server 1930. The key server 1930 uses thesame fingerprint algorithm to generate a fingerprint over its digitalcertificates and matches each to the corresponding private key. Uponreceiving the fingerprint value from the secure session server 1920, thekey server 1930 matches that fingerprint value with one of thefingerprint values it generated over the public certificate (the samepublic certificate included in the Certificate message of operation19.6) to lookup the corresponding private key. As another example, thesecure session server 1920 may hash the modulus of the public keyincluded in the certificate of the Certificate message of operation 19.6and transmit that hash value to the key server 1930. The key server 1930uses the same hash algorithm to generate a hash value over the modulusover its stored public keys and matches each to the correspondingprivate key. Upon receiving the hash value from the secure sessionserver 1920, the key server 1930 matches that hash value with one of thehash values it generated to lookup the corresponding private key.

In embodiments where a ticket is used for resuming a session aspreviously described, the key server 1930 may also renew the ticket bytransmitting a message (e.g., a NewSessionTicket message) to the securesession server 1920 which may transmit the message to the client device1910 after the Server Hello message of operation 19.27.

Although FIG. 19 illustrates the key server 1930 generating the sessionkeys after receiving a request to resume the session, in one embodimentthe secure session server 1920 generates the session keys afterreceiving a request to resume the session. For example, in an embodimentwhere the key server 1930 generates a ticket that includes the sessionstate (e.g., the master key and the cipher suite) that is encrypted witha key that is not known or shared with the client device 1910, the keyserver 1930 may transmit the key to decrypt the ticket to the securesession server 1920. Accordingly, upon receiving a request to resume asession from the client device 1910 that includes a session resumptionticket, the secure session server 1920 may decrypt the ticket with thekey received from the key server 1930, retrieve the session state fromthe contents of the ticket, and generate the session keys using theretrieved session state.

As another example, the key server 1930 may transmit the master secretto the secure session server 1920 such that secure session server 1920may use either stateful session resumption or stateless sessionresumption without requiring further interaction with the key server1930. For example in the case of stateful session resumption, the securesession server 1920 may receive the master secret from the key server1930 and store it in association with other session state parameters inits session cache (e.g., the cipher suite). Upon receiving a request toresume a session from a client that includes a session identifier of thesession to be resumed, the secure session server 1920 checks its sessioncache for a matching identifier and if found and the secure sessionserver 1920 is willing to re-establish the connection (the securesession server 1920 may deny the request to resume a session for avariety of reasons including if a lifetime of the session identifier hasbeen reached), the secure session server 1920 will use that storedsession state to generate new session keys for the resumed session. Inthe case of stateless session resumption, the secure session server 1920may receive the master secret from the key server 1930 and generate andencrypt the ticket that includes the session state information(encrypted with a ticket that may be only known to the secure sessionserver 1920). The secure session server 1920 will provide the ticket tothe client device 1910 (e.g., before the Change Cipher Spec message ofoperation 19.19 and after the Finished message of the client device 1910has been verified). Upon receiving a request to resume a session fromthe client device 1910 that includes a session resumption ticket, thesecure session server 1920 may decrypt the ticket, retrieve the sessionstate from the contents of the ticket, and generate the session keysusing the retrieved session state.

FIG. 20 is a flow diagram that illustrates exemplary operationsperformed by a secure session server for establishing a secure sessionimplemented with public-key cryptography between a client device and asecure session server where the secure session server does not haveaccess to a private key for the requested domain according to anotherembodiment. The private key is stored remotely from the secure sessionserver (e.g., on a key server). For example, in the embodiment describedwith reference to FIG. 20, the secure session server proxies themessages of the handshake between the client device and the key serverwhere the key server generates and transmits to the secure sessionserver the set of session keys to be used during the secure sessionbetween the client device and the secure session server.

At operation 2010, the secure session server receives a message from theclient device that initiates a procedure to establish a secure sessionwith the client device and transmits the message to a key server. Forexample, the secure session server may receive a Client Hello messagefrom the client device (e.g., an SSL or TLS Client Hello message).Depending on the protocol and capabilities of the client device, themessage may indicate the destination host name in which the clientdevice wishes to establish a secure session (e.g., the Client Hellomessage may include the Server Name Indication (SNI) extension andspecify the destination host name). The message may also include randomdata used for cryptographic purposes (sometimes referred to asClientHello.random), and may indicate whether and what type ofextensions (defined by the protocol) the client supports.

The secure session server may be terminating secure session connectionsfor multiple domains that are owned by different entities and therespective private keys for those domains may be stored on different keyservers. If the secure session server is supporting multiple domainswhose respective private keys are stored on different key servers, thesecure session server determines which key server it will transmit themessage received from the client device. For example, if the clientdevice specifies the destination domain using the SNI extension in theClient Hello message, the secure session server uses the destinationdomain to determine which key server the Client Hello message should betransmitted to. If the client device does not specify the destinationdomain using the SNI extension, then the secure session server matchesthe destination IP address of the message received from the clientdevice with the corresponding hostname to determine which key server todetermine which key server the message should be transmitted to (e.g.,the secure session server may include a mapping of IP addresses andhostnames). The secure session server may also transmit the destinationhostname to the key server (e.g., if the SNI extension is not used bythe client device).

Flow then moves to operation 2015 where the secure session serverreceives a message from the key server in response to the messagetransmitted in operation 2010 and transmits the message to the clientdevice. For example, this message may be a Server Hello message. Thismessage may include the version of the SSL or TLS protocol supported, asession identifier that will be used to identify the session, theselected cipher suite (selected from the list of cipher suites includedin the message received in operation 2010), random data used forcryptographic purposes that is different than the random data includedin the ClientHello message (sometimes referred to asServerHello.random), and may also include a list of the extensions thatthe server supports. Flow then moves to operation 2020.

At operation 2020, the secure session server receives a digitalcertificate from the key server and transmits the digital certificate tothe client device. The digital certificate includes a public key for therequested domain. It should be understood that the private key thatcorresponds to the public key is not stored on the secure session server(e.g., it is stored remotely on a key server). The digital certificatemay be transmitted in an SSL or TLS Certificate message. In theembodiment of FIG. 20, the key server has selected a cipher suite thathas a key exchange in which the certificate message transmitted by thesecure session server does not include enough data to allow the clientdevice to generate a premaster secret. For example, the selected ciphersuite may use Diffie-Hellman as the key exchange mechanism (e.g.,DHE_RSA, DHE_DSS, ECDHE, ECDSA, or ECDHE_RSA).

Flow moves from operation 2020 to operation 2025 where the securesession server receives a message from the key server that includes asigned set of cryptographic parameters used for generating a premastersecret and the secure session server transmits the message to the clientdevice. In one embodiment this message is a Server Key Exchange message.By way of example if the key exchange mechanism is DHE_DSS or DHE_RSA,the cryptographic parameters may include the following: the primemodulus used for the Diffie-Hellman operation (p), the generator usedfor the Diffie-Hellman operation (g), and a Diffie-Hellman public valueof the key server (ĝX mod p, where X is the Diffie-Hellman private valueselected by the key server). As another specific example where the keyexchange mechanism is Ephemeral Elliptic Curve Diffie-Hellman (ECDHE)such as ECDHE_ECDSA or ECDHE_RSA, the cryptographic parameters includethe Ephemeral ECDH public key and a specification of the correspondingcurve (the corresponding elliptic curve domain parameters) (e.g., asdefined in RFC 4492). The cryptographic parameters are signed using aprivate key on the key server. The message may also include one or morerandom values (e.g., the ClientHello.random and the ServerHello.randomvalues) that may also be part of the signed data. Flow then moves tooperation 2030.

At operation 2030, the secure session server receives from the keyserver a message that indicates that the hello-message phase of thehandshake is complete and the secure session server transmits thismessage to the client device. For example this message may be a ServerHello Done message. Flow then moves to operation 2035.

At operation 2035, the secure session server receives from the clientdevice a message with information necessary to generate a premastersecret (e.g., it includes the client's Diffie-Hellman public value) andtransmits the message to the key server. For example this informationmay be included in a Client Key Exchange message. Using thisinformation, the key server generates a premaster secret. For example,the key server generates the premaster secret using the client'sDiffie-Hellman public value and its Diffie-Hellman private value. Usingthe premaster secret, the key server calculates the master secret. Byway of example, the master secret is calculated using a pseudorandomfunction that takes as input the premaster secret, theClientHello.random value, and the ServerHello.random value. Aftercalculating the master secret, the key server generates session keysthat will be used to encrypt and decrypt information during the securesession between the client device and the secure session server. By wayof a specific example, the master secret is used when generating aclient write Message Authentication Code (MAC) key, a server write MACkey, a client write encryption key, and a server write encryption key. Aclient write Initialization Vector (IV) and a server write IV may alsobe generated depending on the cipher used.

Flow then moves to operation 2040 where the secure session serverreceives from the key server the set of session keys that will be usedto encrypt and decrypt information during the secure session between theclient device and the secure session server. The set of session keys maybe encrypted prior to transmission to the secure session server.

Although not illustrated in FIG. 20, in some embodiments the securesession server may also receive from the client device and transmit tothe key server a message that indicates that future messages transmittedby the client device will be encrypted (e.g., a Change Cipher Specmessage). In addition, the secure session server may also receive fromthe client device and transmit to the key server a message that has beenencrypted using the session keys (e.g., a Finished message).

Although not illustrated in FIG. 20, in some embodiments the securesession server may also receive from the key server and transmit to theclient device a message that indicates that future messages transmittedby the secure session server will be encrypted (e.g., a Change CipherSpec message). In addition, the secure session server may also receivefrom the key server and transmit to the client device a message that hasbeen encrypted using the session keys (e.g., a Finished message).

The secure session server may also receive the master secret from thekey server, which may be used for resuming the secure session amongother actions.

Flow then moves to operation 2045 where future messages sent between theclient device and the secure session server over the secure session willbe encrypted and decrypted using the set of session keys received fromthe key server. For example, the client write key is used by the clientdevice to encrypt data and used by the secure session server to decryptdata received from the client device, the client write MAC key is usedto authenticate data written by the client device, the server write keyis used by the secure session server to encrypt data and used by theclient device to decrypt data received from the secure session server,and the server write MAC key is used to authenticate data written by thesecure session server.

The messages transmitted between the secure session server and the keyserver described in FIG. 20 can be transmitted over a secure connectionand/or can otherwise be encrypted.

Although not illustrated in FIG. 20, in some embodiments the securesession server may also receive from the client device a message thatindicates that future messages transmitted by the client device will beencrypted (e.g., a Change Cipher Spec message) and a first message thathas been encrypted using the session keys (e.g., a Finished message).This first encrypted message may be used by the secure session server toverify that the key exchange and authentication processes weresuccessful. This message may include a value calculated using apseudorandom function that takes as input the master secret, a finishedlabel (e.g., a client finished label), and a hash of all of the messagesin the handshake previously received from and sent to the client device.Instead of transmitting these messages to the key server, in oneembodiment the secure session server performs the key exchangeverification using the value in the first encrypted message using thenegotiated session keys (the Finished message). For example, verifyingthat the key exchange was successful may include the secure sessionserver calculating a value using the same pseudorandom function thattakes as input the master secret, the finished label (e.g., the clientfinished label), and the hash of all of the messages in the handshakepreviously received from and sent to the client device; and comparingthat value with the value received in the Finished message (the valuesshould be the same if the key exchange was successful). In such anembodiment, the key server transmits the master secret to the securesession server which uses the master secret in the verification. Inorder to generate the hash of the messages in the handshake for use inthe verification, the secure session server may cache the messages thatit receives from the client device and sends to the client device suchthat it may generate the hash for the comparison. Alternatively thesecure session server 1320 may use incremental hashing and update thehash value upon receiving each message from the client device 1310 andtransmitting each message to the client device 1310.

The secure session server may also generate and transmit to the client amessage that indicates that future messages transmitted by the securesession server will be encrypted (e.g., a Change Cipher Spec message)and generate and transmit to the client a first message that has beenencrypted using the session keys (e.g., a Finished message). This firstmessage (the Finished message) may be used by the client device toverify that the key exchange and authentication processes weresuccessful and may include a value calculated using a pseudorandomfunction that takes as input the master secret, a finished label (e.g.,a server finished label), and a hash of all of the messages in thehandshake previously received from the client device and sent to theclient device. If generating the Finished message, the secure sessionserver may cache the messages that it receives from the client deviceand transmits to the client device such that it may generate theencrypted hash in the message. Alternatively the secure session servermay use incremental hashing and update the hash value upon receivingeach message from the client device and transmitting each message to theclient device for generating the hash in the Finished message.

FIG. 21 is a flow diagram that illustrates exemplary operationsperformed on a key server for establishing a secure session implementedwith public-key cryptography between a client device and a securesession server where the secure session server does not have access to aprivate key for the requested domain according to another embodiment. Atoperation 2110, the key server receives a message from a secure sessionserver that a client is requesting a secure session with the securesession server. For example, the message may be a Client Hello messagethat originated from a client device. The secure session server may alsotransmit an indication of the destination host name in which the clientdevices wishes to establish a secure session. For example, the ClientHello message may include the SNI extension that specifies thedestination host name. As another example, the secure session server mayotherwise indicate to the key server the destination host name if theClient Hello message does not include the SNI extension. The message mayalso include random data used for cryptographic purposes (sometimesreferred to as ClientHello.random), and may indicate whether and whattype of extensions (defined by the protocol) the client supports. Flowmoves from operation 2110 to operation 2115.

At operation 2115, the key server transmits a message to the securesession server that is destined for the client in response to themessage received at operation 2110. For example, the message may be aServer Hello message. This message may include the version of the SSL orTLS protocol supported, a session identifier that will be used toidentify the session, the selected cipher suite (selected from the listof cipher suites included in the message received in operation 2110),random data used for cryptographic purposes that is different than therandom data included in the ClientHello message (sometimes referred toas ServerHello.random), and may also include a list of the extensionsthat the server supports. Flow then moves to operation 2120.

At operation 2120, the key server transmits a digital certificate to thesecure session server that is destined for the client for the requesteddomain. The digital certificate may be included in a Certificatemessage. The digital certificate includes a public key for the requesteddomain. Flow moves from operation 2120 to operation 2125.

In the example of FIG. 21, the key server has selected a cipher suitethat has a key exchange in which the certificate message transmitted bythe key server does not include enough data to allow the client deviceto generate a premaster secret. For example, the selected cipher suitemay use Diffie-Hellman as the key exchange mechanism (e.g., DHE_RSA,DHE_DSS, ECDHE, ECDSA, or ECDHE_RSA).

At operation 2125, the key server transmits a message to the securesession server that is destined for the client, the message havingsigned cryptographic parameters for the client to generate a premastersecret. In one embodiment this message is a Server Key Exchange message.By way of example if the key exchange mechanism is DHE_DSS or DHE_RSA,the cryptographic parameters may include the following: the primemodulus used for the Diffie-Hellman operation (p), the generator usedfor the Diffie-Hellman operation (g), and a Diffie-Hellman public valueof the key server (ĝX mod p, where X is the Diffie-Hellman private valueselected by the key server). As another specific example where the keyexchange mechanism is ECDHE such as ECDHE_ECDSA or ECDHE_RSA, thecryptographic parameters include the Ephemeral ECDH public key and aspecification of the corresponding curve (the corresponding ellipticcurve domain parameters) (e.g., as defined in RFC 4492). Thecryptographic parameters are signed using a private key on the keyserver. The message may also include one or more random values (e.g.,the ClientHello.random and the ServerHello.random values) that may alsobe part of the signed data. Flow then moves to operation 2130.

At operation 2130 the key server transmits a message to the securesession server that is destined for the client that indicates that thehello-message phase of the handshake is complete and the client canproceed with its phase of the key exchange. For example, this messagemay be a Server Hello Done message.

Flow then moves to operation 2135 where the key server receives amessage from the secure session server with information for the keyserver to generate the same premaster. For example, the message mayinclude the client's Diffie-Hellman public value. In one embodiment,this message is a Client Key Exchange message. Flow moves from operation2135 to operation 2140.

At operation 2140, the key server generates premaster secret, the mastersecret, and the session keys that will be used for encrypting anddecrypting communication for the secure session between the client andthe secure session server. The key server generates the premaster secretusing the client's Diffie-Hellman public value (received in the messageof operation 2135) and its Diffie-Hellman private value. The key serveruses the premaster secret to calculate the master secret. The clientrequesting the secure session and the key server use the same algorithmand data to calculate the same master secret. By way of example, themaster secret is calculated using a pseudorandom function that takes asinput the premaster secret, the ClientHello.random value, and theServerHello.random value. The master secret is used by the key serverwhen generating the session keys that are used to encrypt and decryptinformation during the secure session. By way of a specific example, thesession keys may include a client write Message Authentication Code(MAC) key, a server write MAC key, a client write encryption key, and aserver write encryption key. A client write Initialization Vector (IV)and a server write IV may also be generated depending on the cipherused. Flow moves from operation 2140 to operation 2145.

At operation 2145, the key server transmits the set of session keys tothe secure session server for use in the secure session between theclient device and the secure session server.

Although not illustrated in FIG. 21, in some embodiments the key servermay receive from the secure session a message that indicates that futuremessages transmitted by the client device will be encrypted (e.g., aChange Cipher Spec message). The key server may also receive from thesecure session server a first message that has been encrypted using thesession keys (e.g., a Finished message). In such an embodiment where thekey server receives a Finished message, the key server may verify thatthe key exchange and authentication processes were successful. The keyserver may also transmit to the secure session server a message that isdestined for the client that indicates that future messages transmittedwill be encrypted (e.g., a Change Cipher Spec message). The key servermay also transmit to the secure session server a first message that isdestined for the client and that has been encrypted using the sessionkeys (e.g., a Finished message).

Although not illustrated in FIG. 21, in some embodiments the key servertransmits the master secret it generated to the secure session server.The secure session server may use the master secret when responding to arequest to resume the secure session using techniques as previouslydescribed herein. The secure session server may use the master secretwhen verifying that the key exchange was successful (e.g., verifying thevalue included in a Finished message received from the client device) orwhen generating the Finished message to transmit to the client.

The messages transmitted between the secure session server and the keyserver described in FIG. 21 can be transmitted over a secure connectionbetween the secure session server and the key server and/or canotherwise be encrypted. If a secure connection is used, as part ofestablishing that secure connection the key server may request a clientcertificate from the secure session server in order to authenticate theidentity of the secure session server. In some embodiments, the keyserver may use IP address based blocking to verify that the key serveris communicating with a legitimate secure session server (e.g., byverifying that the secure session server is communicating with an IPaddress having a value that is expected by the key server). In someembodiments, the connection between the key server and the securesession server is a VPN connection. In some embodiments, the messagestransmitted by the secure session server to the key server are signedwith a private key that is known only to the secure session server. Insuch embodiments, the key server verifies the validity of the signatureof a message prior to acting on that message. In some embodiments, anycombination of these security techniques may be used.

Unlike traditional secure session implementations where the securesession server has local access to the private key during the handshake,in embodiments of the invention the private key is not locallyaccessible to the secure session server. This provides increasedsecurity during the secure session handshake. For example, although thesecure session server may deliver web content on behalf of a website,the secure session server may not be at the physical premises of thewebsite owner and/or be controlled by the website owner. This may causethe website owner to not trust the security of the secure session serverand/or the operators of the secure session server. However, because theprivate key is stored remotely (not on the secure session server) and isinstead stored on a key server in embodiments of the invention, thewebsite owner does not lose control of the private key while stillallowing for a secure session server that it does not control to providesecure session capability.

While embodiments described herein can be used for securing web traffic,the embodiments described herein can also be used to secure any networktraffic that relies on key-based cryptography for security.

In one embodiment, the secure session server and the key server areowned by different entities. For example, the secure session server maybe a proxy server in a cloud-based proxy service that provides one ormore services for one or more domain owners. By way of example, thecloud-based proxy service may provide services including protectingagainst Internet-based threats (e.g., proactively stopping botnets,cleaning viruses, trojans, and worms, etc.), providing performanceservices for customers (e.g., acting as a node in a content deliverynetwork (CDN) and dynamically caching customer's files closer tovisitors, page acceleration, content optimization services, etc.), imageloading optimization (e.g., deferred image loading and/orauto-resizing), and/or other services. The key server may be owned oroperated by a domain owner that is a customer of the cloud-based proxyservice. By way of a specific example, the domain owner of example.commay be a customer of the cloud-based proxy service. The key server maybe operated or under control of the domain owner, while the securesession server receives and transmits network traffic over a securesession between client devices and the secure session server forexample.com, where the secure session was established using embodimentsdescribed herein where the private key is stored remotely from thesecure session server. As a specific example, the key server may be anorigin server of the website owner.

By way of a specific example, after establishing the secure sessionbetween a client device and the secure session server, the securesession server may receive an encrypted request for a resource (theresource may be hosted on the secure session server, the key server, oron a different server). The secure session server decrypts the encryptedrequest to determine the resource the client device is requesting. Thesecure session server then retrieves the requested resource. Theresource may be retrieved locally by the secure session server (e.g., ifthe resource is locally available) or may be requested from an originserver that hosts the resource. In one embodiment, the secure sessionserver may be a node in a CDN. In one embodiment, the secure sessionserver and the key server are operated with different levels ofsecurity. For example, the key server may be operating in ahigh-security zone and the secure session zone may be operating in alower-security zone.

In one embodiment, embodiments described herein may be used in a CDNwhere there may be one or more trusted nodes that store the private keysand perform the operations of the key server described herein and one ormore untrusted nodes that perform the operations of the secure sessionserver described herein. The untrusted and trusted nodes may beseparated across a Wide Area Network. In some embodiments the untrustednodes request the trusted nodes to sign the secure sessions and thesecure sessions stay active for a configurable amount of time on theuntrusted node without having to query the trusted nodes.

Embodiments described herein have described the secure session serverand key server communicating over a connection (which may be a secureconnection). In some embodiments this connection is a persistentconnection (also referred to as a keep-alive connection) while in otherembodiments this connection is established on demand each time a securesession is established.

In some embodiments, there may be multiple key servers that have thesame private key(s) for which a secure session server may access. Insuch an embodiment, the traffic between the secure session server(s) andthe key servers may be load balanced to distribute the load among thekey servers. A secure session server may take a round-robin approachwhen selecting a particular one of the key servers. Alternatively, whenselecting a particular one of the key servers, a secure session servermay select the key server that has the fastest response, the shortestdistance, the least load, or a combination thereof.

Embodiments have described a key server remote from the server that isterminating the secure session (the secure session server) storingprivate key(s) and using those private key(s) when establishing and/orresuming a secure session between a client device and the secure sessionserver. In some embodiments, the key server may offload the private keyoperation (whether the private key operation is decrypting an encryptedpremaster secret or signing cryptographic parameters as previouslydescribed herein) to a trusted platform module (TPM) or a hardwaresecurity module (HSM). The TPM or HSM could be part of the same physicaldevice of the key server or may be connected to the key server through anetwork.

Splitting the Private Key

Embodiments have been described herein where the private key is storedon a server that is remote from the termination point of the secureconnection. In some embodiments these private keys are stored inhardware security module(s) or trusted platform module(s). In otherembodiments a private key is split into multiple parts that are storedin different entities (each of which may or may not also be stored in ahardware security module or trusted platform module). By way of aspecific example, a private key may be split into at least two partswhere at least one part is stored at the secure session server and atleast one part is stored at a remote key server. By way of anotherexample, a private key may be split into at least two parts where atleast one part is stored at a first key server and another part isstored at a second key server.

In an embodiment where the private key is split into multiple partswhere at least a first part is stored at a secure session server and asecond part is stored at a key server, when a private key operation isneeded in the secure session handshake, the secure session servertransmits the part of the key that it is storing to the key server andthe key server combines the parts to reconstruct the private key anduses the private key accordingly. The private key is split such that itis infeasible to derive the private key from a single part. By way ofexample, the private key may be split using Shamir's Secret Sharing orthrough other suitable ways of splitting the key. The whole private keymay be removed from the key server after splitting the key into multipleparts. Prior to removing the key, the key server may generate anidentifier of the private key and associate it with the private keypart. For example, the identifier may be hash value generated as aresult of a hash function over the private key. Other identifiers couldalso be used. Splitting the private key and not storing the wholeprivate key in a single entity helps protect against a situation whereeither the secure session server or the key server is compromised sinceonly a part of the private key cannot be used.

For example, with respect to FIG. 1, instead of the key server 130storing the entire private key 150, the private key 150 may be splitinto multiple parts where a first part is stored at the secure sessionserver 120 and a second part is stored at the key server 130. This isillustrated in FIG. 1 with the dashed box of the private key part 150Aand the private key part 150B. The private key part 150B can betransmitted by the key server 130 to the secure session server 120 orotherwise installed at the secure session server 120. In addition, theprivate key part 150B may be associated with an identifier (e.g., a hashof the private key 150) that can be transmitted by the key server 130 orotherwise installed at the secure session server 120. At operation 1.6,or in another message, the secure session server 120 transmits theprivate key part 150B to the key server 130. The key server 130 receivesthe private key part 150B and reconstructs the private key 150 using theprivate key part 150A and the private key part 150B and the operationsproceed as described with respect to FIG. 1. In addition to transmittingthe private key part 150B, the secure session server 120 may alsotransmit an identifier that is associated with the private key part 150B(e.g., a hash of the private key 150). The key server 130 may use thisidentifier when accessing the private key part 150A.

A split key approach may also be used with respect to the embodimentdescribed in FIG. 4. For example, instead of the key server 430 storingthe entire private key 450, the private key 450 may be split intomultiple parts where a first part is stored at the secure session server420 and a second part is stored at the key server 430. This isillustrated in FIG. 4 with the dashed box of the private key part 450Aand the private key part 450B. The private key part 450B can betransmitted by the key server 430 to the secure session server 420 orotherwise installed at the secure session server 420. In addition, theprivate key part 450B may be associated with an identifier (e.g., a hashof the private key 450) that can be transmitted by the key server 430 orotherwise installed at the secure session server 420. At operation 4.4,or in another message, the secure session server 420 transmits theprivate key part 450B to the key server 430. The key server 430 receivesthe private key part 450B and reconstructs the private key 450 using theprivate key part 450A and the private key part 450B and the operationsproceed as described with respect to FIG. 4. In addition to transmittingthe private key part 450B, the secure session server 420 may alsotransmit an identifier that is associated with the private key part 450B(e.g., a hash of the private key 450). The key server 430 may use thisidentifier when accessing the private key part 450A.

In a similar way as described with respect to FIG. 4, a split keyapproach may also be used with respect to the embodiment described inFIG. 7. For example, instead of the key server 730 storing the entireprivate key 750, the private key 750 may be split into multiple partswhere a first part is stored at the secure session server 720 and asecond part is stored at the key server 730. This is illustrated in FIG.7 with the dashed box of the private key part 750A and the private keypart 750B. The private key part 750B can be transmitted by the keyserver 730 to the secure session server 720 or otherwise installed atthe secure session server 720. In addition, the private key part 750Bmay be associated with an identifier (e.g., a hash of the private key750) that can be transmitted by the key server 730 or otherwiseinstalled at the secure session server 720. At operation 7.4, or inanother message, the secure session server 720 transmits the private keypart 750B to the key server 730. The key server 730 receives the privatekey part 750B and reconstructs the private key 750 using the private keypart 750A and the private key part 750B and the operations proceed asdescribed with respect to FIG. 7. In addition to transmitting theprivate key part 750B, the secure session server 720 may also transmitan identifier that is associated with the private key part 750B (e.g., ahash of the private key 750). The key server 730 may use this identifierwhen accessing the private key part 750A.

A split key approach may also be used with respect to the embodimentdescribed in FIG. 10. For example, instead of the key server 1030storing the entire private key 1050, the private key 1050 may be splitinto multiple parts where a first part is stored at the secure sessionserver 1020 and a second part is stored at the key server 1030. This isillustrated in FIG. 10 with the dashed box of the private key part 1050Aand the private key part 1050B. The private key part 1050B can betransmitted by the key server 1030 to the secure session server 1020 orotherwise installed at the secure session server 1020. In addition, theprivate key part 1050B may be associated with an identifier (e.g., ahash of the private key 1050) that can be transmitted by the key server1030 or otherwise installed at the secure session server 1020. Atoperation 10.6, or in another message, the secure session server 1020transmits the private key part 1050B to the key server 1030. The keyserver 1030 receives the private key part 1050B and reconstructs theprivate key 1050 using the private key part 1050A and the private keypart 1050B and the operations proceed as described with respect to FIG.10. In addition to transmitting the private key part 1050B, the securesession server 1020 may also transmit an identifier that is associatedwith the private key part 1050B (e.g., a hash of the private key 1050).The key server 1030 may use this identifier when accessing the privatekey part 1050A.

A split key approach may also be used with respect to the embodimentdescribed in FIG. 13. For example, instead of the key server 1330storing the entire private key 1350, the private key 1350 may be splitinto multiple parts where a first part is stored at the secure sessionserver 1320 and a second part is stored at the key server 1330. This isillustrated in FIG. 13 with the dashed box of the private key part 1350Aand the private key part 1350B. The private key part 1350B can betransmitted by the key server 1330 to the secure session server 1320 orotherwise installed at the secure session server 1320. In addition, theprivate key part 1350B may be associated with an identifier (e.g., ahash of the private key 1350) that can be transmitted by the key server1330 or otherwise installed at the secure session server 1320. Atoperation 13.6, or in another message, the secure session server 1320transmits the private key part 1350B to the key server 1330. The keyserver 1330 receives the private key part 1350B and reconstructs theprivate key 1350 using the private key part 1350A and the private keypart 1350B and the operations proceed as described with respect to FIG.13. In addition to transmitting the private key part 1350B, the securesession server 1320 may also transmit an identifier that is associatedwith the private key part 1350B (e.g., a hash of the private key 1350).The key server 1330 may use this identifier when accessing the privatekey part 1350A.

A split key approach may also be used with respect to the embodimentdescribed in FIGS. 16A-B. For example, instead of the key server 1630storing the entire private key 1650, the private key 1650 may be splitinto multiple parts where a first part is stored at the secure sessionserver 1620 and a second part is stored at the key server 1630. This isillustrated in FIGS. 16A-B with the dashed box of the private key part1650A and the private key part 1650B. The private key part 1650B can betransmitted by the key server 1630 to the secure session server 1620 orotherwise installed at the secure session server 1620. In addition, theprivate key part 1650B may be associated with an identifier (e.g., ahash of the private key 1650) that can be transmitted by the key server1630 or otherwise installed at the secure session server 1620. Atoperation 16.10, or in another message, the secure session server 1620transmits the private key part 1650B to the key server 1630. The keyserver 1630 receives the private key part 1650B and reconstructs theprivate key 1650 using the private key part 1650A and the private keypart 1650B and the operations proceed as described with respect to FIG.16A. As an example with respect to FIG. 16B, at operation 16.22 or inanother message prior to the key server 1630 generating the sessionkeys, the secure session server 1620 transmits the private key part1650B to the key server 1630. The key server 1630 receives the privatekey part 1650B and reconstructs the private key 1650 using the privatekey part 1650A and the private key part 1650B and the operations proceedas described with respect to FIG. 16B. In addition to transmitting theprivate key part 1650B, the secure session server 1620 may also transmitan identifier that is associated with the private key part 1650B (e.g.,a hash of the private key 1650). The key server 1630 may use thisidentifier when accessing the private key part 1650A. The key server1630 may discard the private key part 1650B and the reconstructedprivate key shortly after using the reconstructed private key. Forexample, shortly after decrypting the encrypted premaster secret, thekey server 1630 may remove the private key part 1650B and thereconstructed private key from memory. Thus, the key server 1630 doesnot permanently store the private key part 1650B or the reconstructedprivate key.

A split key approach may also be used with respect to the embodimentdescribed in FIGS. 19A-B. For example, instead of the key server 1930storing the entire private key 1950, the private key 1950 may be splitinto multiple parts where a first part is stored at the secure sessionserver 1920 and a second part is stored at the key server 1930. This isillustrated in FIG. 19 with the dashed box of the private key part 1950Aand the private key part 1950B. The private key part 1950B can betransmitted by the key server 1930 to the secure session server 1920 orotherwise installed at the secure session server 1920. In addition, theprivate key part 1950B may be associated with an identifier (e.g., ahash of the private key 1950) that can be transmitted by the key server1930 or otherwise installed at the secure session server 1920. Withrespect to FIG. 19A, prior to operation 19.7, the secure session server1920 transmits the private key part 1950B to the key server 1930. Thekey server 1930 receives the private key part 1950B and reconstructs theprivate key 1950 using the private key part 1950A and the private keypart 1950B and the operations proceed as described with respect to FIG.19A.

Embodiments have been described herein that describe a key server thatis remote from the server that is terminating the secure session (thesecure session server) storing private key(s) and using those privatekey(s) when establishing and/or resuming a secure session between aclient device and the secure session server. In some embodiments thesecure session server may request the private key from the key serverwhen a private key operation is needed and store the private key inmemory (typically volatile memory) for a limited amount of time (e.g.,only until the private key operation is complete). In other words, thesecure session server does not permanently store the private key butinstead requests it on demand from the key server and it only resides inmemory of the secure session server for a limited amount of time.

As illustrated in FIG. 22, the computing device 2200, which is a form ofa data processing system, includes the bus(es) 2250 which is coupledwith the processing system 2220, power supply 2225, memory 2230, and thenonvolatile memory 2240 (e.g., a hard drive, flash memory, Phase-ChangeMemory (PCM), etc.). The bus(es) 2250 may be connected to each otherthrough various bridges, controllers, and/or adapters as is well knownin the art. The processing system 2220 may retrieve instruction(s) fromthe memory 2230 and/or the nonvolatile memory 2240, and execute theinstructions to perform operations described herein. The bus 2250interconnects the above components together and also interconnects thosecomponents to the display controller & display device 2270, Input/Outputdevices 2280 (e.g., NIC (Network Interface Card), a cursor control(e.g., mouse, touchscreen, touchpad, etc.), a keyboard, etc.), and thewireless transceiver(s) 2290 (e.g., Bluetooth, WiFi, Infrared, etc.).One or more of the components of the computing device 2200 may beoptional (e.g., the display controller and display device 2270, I/Odevices 2280, the wireless transceiver(s) 2290, etc.). In oneembodiment, the client devices 110, 410, 710, 1010, 1310, 1610, and1910, the secure session servers 120, 420, 720, 1020, 1320, 1620, and1920, and/or the key servers 130, 430, 730, 1030, 1330, 1630, and/or1930 can take the form of the computing device 2200.

The techniques shown in the figures can be implemented using code anddata stored and executed on one or more electronic devices (e.g., aclient device, a proxy server, a key server). Such electronic devicesstore and communicate (internally and/or with other electronic devicesover a network) code and data using computer-readable media, such asnon-transitory computer-readable storage media (e.g., magnetic disks;optical disks; random access memory; read only memory; flash memorydevices; phase-change memory) and transitory computer-readablecommunication media (e.g., electrical, optical, acoustical or other formof propagated signals—such as carrier waves, infrared signals, digitalsignals). In addition, such electronic devices typically include a setof one or more processors coupled to one or more other components, suchas one or more storage devices (non-transitory machine-readable storagemedia), user input/output devices (e.g., a keyboard, a touchscreen,and/or a display), and network connections. The coupling of the set ofprocessors and other components is typically through one or more bussesand bridges (also termed as bus controllers). Thus, the storage deviceof a given electronic device typically stores code and/or data forexecution on the set of one or more processors of that electronicdevice. Of course, one or more parts of an embodiment of the inventionmay be implemented using different combinations of software, firmware,and/or hardware.

While the flow diagrams in the figures show a particular order ofoperations performed by certain embodiments of the invention, it shouldbe understood that such order is exemplary (e.g., alternativeembodiments may perform the operations in a different order, combinecertain operations, overlap certain operations, etc.).

While the invention has been described in terms of several embodiments,those skilled in the art will recognize that the invention is notlimited to the embodiments described, can be practiced with modificationand alteration within the spirit and scope of the appended claims. Thedescription is thus to be regarded as illustrative instead of limiting.

What is claimed is:
 1. A method in a first server for establishing asecure session with a client device, the method comprising: receiving afirst message from the client device that initiates a handshakeprocedure to establish a secure session between the client device andthe first server and transmitting the first message to a second server;receiving, from the second server, a second message in response to thefirst message and transmitting the second message to the client device;receiving, from the second server, a third message that includes adigital certificate and transmitting the third message to the clientdevice; receiving, from the second server, a fourth message thatincludes a set of cryptographic parameters that is signed using aprivate key stored on the second server and not available on the firstserver and transmitting the fourth message to the client device, whereinthe set of cryptographic parameters are to be used by the client devicewhen generating a premaster secret and include a Diffie-Hellman publicvalue selected by the second server; receiving, from the second server,a fifth message that indicates that a server hello part of the handshakeprocedure is complete and transmitting the fifth message to the clientdevice; receiving, from the client device, a sixth message that includesa Diffie-Hellman public value selected by the client device andtransmitting the sixth message to the second server; receiving, from thesecond server, a seventh message that includes a set of one or moresession keys to be used in the secure session for encrypting anddecrypting communication between the client device and the first serverthat were generated at least using a master secret that is generatedusing a premaster secret that is generated using the Diffie-Hellmanpublic value selected by the client device and the Diffie-Hellman publicvalue selected by the second server; receiving, from the client device,an eighth message that indicates that future messages sent from theclient device will be encrypted; receiving, from the client device, aninth message that is encrypted according to the session keys;transmitting, to the client device, a tenth message that indicates thatfuture messages sent to the client device will be encrypted; andtransmitting, to the client device, an eleventh message that isencrypted according to the session keys.
 2. The method of claim 1,wherein the first server and the second server are owned or operated bydifferent entities.
 3. The method of claim 1, wherein at least thefourth message and the seventh message are received from the secondserver over a secure session between the first server and the secondserver.
 4. The method of claim 1, further comprising: after transmittingthe eleventh message to the client device, receiving from the clientdevice a request for a resource over the secure session, wherein therequest is encrypted; decrypting, using the set of session keys, therequest for the resource; transmitting the request for the resource to athird server; receiving the resource from the third server in responseto the request; generating an encrypted response that includes theretrieved resource, wherein the encrypted response is encrypted with theset of session keys; and transmitting the encrypted response to theclient device.
 5. The method of claim 4, wherein the second server andthe third server are the same server.
 6. The method of claim 1, furthercomprising: receiving, from the second server, the master secret;verifying information in the ninth message including, calculating afirst value using a function that takes as input at least the mastersecret and a hash of the first message, second message, third message,fourth message, fifth message, sixth message, and eighth message, andcomparing the calculated first value with a second value included inninth message, wherein a same first value and second value indicates asuccessful key exchange; calculating a third value using a function thattakes as input at least the master secret and a hash of the firstmessage, second message, third message, fourth message, fifth message,sixth message, eighth message, ninth message, and tenth message; andincluding the third value in the eleventh message.
 7. The method ofclaim 1, further comprising: transmitting, to the second server, theeighth message and the ninth message; and receiving, from the secondserver, the tenth message and the eleventh message.
 8. A non-transitorycomputer-readable medium storing instructions, which when executed by aset of one or more processors of a first server, cause the set ofprocessors to perform operations comprising: receiving a first messagefrom the client device that initiates a handshake procedure to establisha secure session between the client device and the first server andtransmitting the first message to a second server; receiving, from thesecond server, a second message in response to the first message andtransmitting the second message to the client device; receiving, fromthe second server, a third message that includes a digital certificateand transmitting the third message to the client device; receiving, fromthe second server, a fourth message that includes a set of cryptographicparameters that is signed using a private key stored on the secondserver and not available on the first server and transmitting the fourthmessage to the client device, wherein the set of cryptographicparameters are to be used by the client device when generating apremaster secret and include a Diffie-Hellman public value selected bythe second server; receiving, from the second server, a fifth messagethat indicates that a server hello part of the handshake procedure iscomplete and transmitting the fifth message to the client device;receiving, from the client device, a sixth message that includes aDiffie-Hellman public value selected by the client device andtransmitting the sixth message to the second server; receiving, from thesecond server, a seventh message that includes a set of one or moresession keys to be used in the secure session for encrypting anddecrypting communication between the client device and the first serverthat were generated at least using a master secret that is generatedusing a premaster secret that is generated using the Diffie-Hellmanpublic value selected by the client device and the Diffie-Hellman publicvalue selected by the second server; receiving, from the client device,an eighth message that indicates that future messages sent from theclient device will be encrypted; receiving, from the client device, aninth message that is encrypted according to the session keys;transmitting, to the client device, a tenth message that indicates thatfuture messages sent to the client device will be encrypted; andtransmitting, to the client device, an eleventh message that isencrypted according to the session keys.
 9. The non-transitorycomputer-readable medium of claim 8, wherein the first server and thesecond server are owned or operated by different entities.
 10. Thenon-transitory computer-readable medium of claim 8, wherein at least thefourth message and the seventh message are received from the secondserver over a secure session between the first server and the secondserver.
 11. The non-transitory computer-readable medium of claim 8,further storing instructions that, when executed by the set ofprocessors, cause the set of processors to perform the followingoperations: after transmitting the eleventh message to the clientdevice, receiving from the client device a request for a resource overthe secure session, wherein the request is encrypted; decrypting, usingthe set of session keys, the request for the resource; transmitting therequest for the resource to a third server; receiving the resource fromthe third server in response to the request; generating an encryptedresponse that includes the retrieved resource, wherein the encryptedresponse is encrypted with the set of session keys; and transmitting theencrypted response to the client device.
 12. The non-transitorycomputer-readable medium of claim 11, wherein the second server and thethird server are the same server.
 13. The non-transitorycomputer-readable medium of claim 8, further storing instructions that,when executed by the set of processors, cause the set of processors toperform the following operations: receiving, from the second server, themaster secret; verifying information in the ninth message including,calculating a first value using a function that takes as input at leastthe master secret and a hash of the first message, second message, thirdmessage, fourth message, fifth message, sixth message, and eighthmessage, and comparing the calculated first value with a second valueincluded in ninth message, wherein a same first value and second valueindicates a successful key exchange; calculating a third value using afunction that takes as input at least the master secret and a hash ofthe first message, second message, third message, fourth message, fifthmessage, sixth message, eighth message, ninth message, and tenthmessage; and including the third value in the eleventh message.
 14. Thenon-transitory computer-readable medium of claim 8, further storinginstructions that, when executed by the set of processors, cause the setof processors to perform the following operations: transmitting, to thesecond server, the eighth message and the ninth message; and receiving,from the second server, the tenth message and the eleventh message. 15.An apparatus comprising: a first server including a set of one or moreprocessors and a set of one or more non-transitory computer-readablestorage mediums storing instructions, that when executed by the set ofprocessors, cause the set of processors to perform the followingoperations: receive a first message from a client device that initiatesa handshake procedure to establish a secure session between the clientdevice and the first server and transmit the first message to a secondserver; receive, from the second server, a second message in response tothe first message and transmit the second message to the client device;receive, from the second server, a third message that includes a digitalcertificate and transmit the third message to the client device;receive, from the second server, a fourth message that includes a set ofcryptographic parameters that is signed using a private key stored onthe second server and not available on the first server and transmit thefourth message to the client device, wherein the set of cryptographicparameters are to be used by the client device when generating apremaster secret and include a Diffie-Hellman public value selected bythe second server; receive, from the second server, a fifth message thatindicates that a server hello part of the handshake procedure iscomplete and transmit the fifth message to the client device; receive,from the client device, a sixth message that includes a Diffie-Hellmanpublic value selected by the client device and transmit the sixthmessage to the second server; receive, from the second server, a seventhmessage that includes a set of one or more session keys to be used inthe secure session for encrypting and decrypting communication betweenthe client device and the first server that were generated at leastusing a master secret that is generated using a premaster secret that isgenerated using the Diffie-Hellman public value selected by the clientdevice and the Diffie-Hellman public value selected by the secondserver; receive, from the client device, an eighth message thatindicates that future messages sent from the client device will beencrypted; receive, from the client device, a ninth message that isencrypted according to the session keys; transmit, to the client device,a tenth message that indicates that future messages sent to the clientdevice will be encrypted; and transmit, to the client device, aneleventh message that is encrypted according to the session keys. 16.The apparatus of claim 15, wherein the first server and the secondserver are owned or operated by different entities.
 17. The apparatus ofclaim 15, wherein at least the fourth message and the seventh messageare to be received from the second server over a secure session betweenthe first server and the second server.
 18. The apparatus of claim 15,wherein the set of non-transitory computer-readable storage mediumsfurther stores instructions, that when executed by the set ofprocessors, cause the set of processors to perform the followingoperations: after transmission of the eleventh message to the clientdevice, receive from the client device a request for a resource over thesecure session, wherein the request is encrypted; decrypt, using the setof session keys, the request for the resource; transmit the request forthe resource to a third server; receive the resource from the thirdserver in response to the request; generate an encrypted response thatincludes the retrieved resource, wherein the encrypted response isencrypted with the set of session keys; and transmit the encryptedresponse to the client device.
 19. The apparatus of claim 18, whereinthe second server and the third server are the same server.
 20. Theapparatus of claim 15, wherein the set of non-transitorycomputer-readable storage mediums further stores instructions, that whenexecuted by the set of processors, cause the set of processors toperform the following operations: receive, from the second server, themaster secret; verify information in the ninth message including,calculate a first value using a function that takes as input at leastthe master secret and a hash of the first message, second message, thirdmessage, fourth message, fifth message, sixth message, and eighthmessage, and compare the calculated first value with a second valueincluded in ninth message, wherein a same first value and second valueindicates a successful key exchange; calculate a third value using afunction that takes as input at least the master secret and a hash ofthe first message, second message, third message, fourth message, fifthmessage, sixth message, eighth message, ninth message, and tenthmessage; and include the third value in the eleventh message.
 21. Theapparatus of claim 15, wherein the set of non-transitorycomputer-readable storage mediums further stores instructions, that whenexecuted by the set of processors, cause the set of processors toperform the following operations: transmit, to the second server, theeighth message and the ninth message; and receive, from the secondserver, the tenth message and the eleventh message.